Laurent Destailleur

45 exploits Active since Jun 2017
CVE-2026-22666 WRITEUP HIGH WRITEUP
Dolibarr ERP/CRM < 23.0.2 Authenticated RCE via dol_eval_standard()
Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().
CVSS 7.2
CVE-2026-34036 WRITEUP MEDIUM WRITEUP
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
CVSS 6.5
CVE-2013-2092 WRITEUP MEDIUM WRITEUP
Dolibarr Erp/crm - XSS
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVSS 6.1
CVE-2013-2093 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm - Improper Input Validation
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVSS 9.8
CVE-2017-1000501 WRITEUP CRITICAL WRITEUP
Awstats <7.6 - Path Traversal
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
CVSS 9.8
CVE-2017-14238 WRITEUP CRITICAL WRITEUP
Dolibarr ERP/CRM <6.0.0 - SQL Injection
SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter.
CVSS 9.8
CVE-2017-14239 WRITEUP MEDIUM WRITEUP
Dolibarr ERP/CRM 6.0.0 - XSS
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14) ProfId4, (15) ProfId5, or (16) ProfId6 parameter to htdocs/admin/company.php.
CVSS 5.4
CVE-2017-14240 WRITEUP HIGH WRITEUP
Dolibarr ERP/CRM <6.0.0 - Info Disclosure
There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter.
CVSS 7.5
CVE-2017-14241 WRITEUP MEDIUM WRITEUP
Dolibarr ERP/CRM 6.0.0 - XSS
Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php.
CVSS 5.4
CVE-2017-14242 WRITEUP CRITICAL WRITEUP
Dolibarr <6.0.0 - SQL Injection
SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
CVSS 9.8
CVE-2017-17897 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm < 6.0.5 - SQL Injection
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVSS 9.8
CVE-2017-17898 WRITEUP HIGH WRITEUP
Dolibarr Erp/crm < 6.0.5 - Information Disclosure
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.
CVSS 7.5
CVE-2017-17899 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm < 6.0.5 - SQL Injection
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.
CVSS 9.8
CVE-2017-17900 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm < 6.0.5 - SQL Injection
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.
CVSS 9.8
CVE-2017-9435 WRITEUP CRITICAL WRITEUP
Dolibarr ERP/CRM <5.0.3 - SQL Injection
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).
CVSS 9.8
CVE-2018-10092 WRITEUP HIGH WRITEUP
Dolibarr <7.0.2 - Command Injection
The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.
CVSS 8.0
CVE-2018-10095 WRITEUP MEDIUM WRITEUP
Dolibarr <7.0.2 - XSS
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
CVSS 6.1
CVE-2018-13447 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm < 7.0.4 - SQL Injection
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
CVSS 9.8
CVE-2018-13448 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm < 7.0.4 - SQL Injection
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the country_id parameter.
CVSS 9.8
CVE-2018-13449 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm < 7.0.4 - SQL Injection
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter.
CVSS 9.8
CVE-2018-13450 WRITEUP CRITICAL WRITEUP
Dolibarr Erp/crm < 7.0.4 - SQL Injection
SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands via the status_batch parameter.
CVSS 9.8
CVE-2018-19992 WRITEUP MEDIUM WRITEUP
Dolibarr 8.0.2 - XSS
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to adherents/type.php.
CVSS 5.4
CVE-2018-19993 WRITEUP MEDIUM WRITEUP
Dolibarr 8.0.2 - XSS
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the transphrase parameter to public/notice.php.
CVSS 6.1
CVE-2018-19994 WRITEUP HIGH WRITEUP
Dolibarr 8.0.2 - SQL Injection
An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the desiredstock parameter.
CVSS 8.8
CVE-2018-19995 WRITEUP MEDIUM WRITEUP
Dolibarr 8.0.2 - XSS
A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or HTML via the "address" (POST) or "town" (POST) parameter to user/card.php.
CVSS 5.4