Laurent Destailleur

45 exploits Active since Jun 2017
CVE-2018-19998 WRITEUP HIGH WRITEUP
Dolibarr 8.0.2 - SQL Injection
SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands via the employee parameter.
CVSS 8.8
CVE-2018-9019 WRITEUP CRITICAL WRITEUP
Dolibarr < 7.0.2 - SQL Injection
SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.
CVSS 9.8
CVE-2020-12669 WRITEUP HIGH WRITEUP
Dolibarr <11.0.4 - Auth Bypass
core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.
CVSS 8.8
CVE-2020-14443 WRITEUP HIGH WRITEUP
Dolibarr < 11.0.3 - SQL Injection
A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
CVSS 8.8
CVE-2020-14475 WRITEUP MEDIUM WRITEUP
Dolibarr Erp/crm < 11.0.5 - XSS
A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into public/notice.php (related to transphrase and transkey).
CVSS 6.1
CVE-2020-35136 WRITEUP HIGH WRITEUP
Dolibarr <12.0.3 - Authenticated RCE
Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
CVSS 7.2
CVE-2021-25954 WRITEUP MEDIUM WRITEUP
Dolibarr < 13.0.4 - Incorrect Authorization
In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.
CVSS 4.3
CVE-2021-25955 WRITEUP CRITICAL WRITEUP
Dolibarr < 13.0.2 - XSS
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.
CVSS 9.0
CVE-2021-25956 WRITEUP MEDIUM WRITEUP
Dolibarr < 13.0.2 - Improper Access Control
In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.
CVSS 4.7
CVE-2021-25957 WRITEUP HIGH WRITEUP
Dolibarr < 13.0.2 - Password Reset Weakness
In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.
CVSS 8.8
CVE-2021-3991 WRITEUP MEDIUM WRITEUP
Dolibarr Erp/crm < 20.0.2 - Improper Authorization
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
CVSS 4.3
CVE-2022-0224 WRITEUP CRITICAL WRITEUP
dolibarr - SQL Injection
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
CVSS 9.8
CVE-2022-0414 WRITEUP MEDIUM WRITEUP
Packagist dolibarr/dolibarr <16.0 - Info Disclosure
Improper Validation of Specified Quantity in Input in Packagist dolibarr/dolibarr prior to 16.0.
CVSS 4.3
CVE-2022-0731 WRITEUP MEDIUM WRITEUP
dolibarr/dolibarr <16.0 - IDOR
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
CVSS 6.5
CVE-2022-0746 WRITEUP MEDIUM WRITEUP
dolibarr/dolibarr <16.0 - Info Disclosure
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
CVSS 4.3
CVE-2022-0819 WRITEUP HIGH WRITEUP
Dolibarr Erp/crm < 15.0.1 - Code Injection
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
CVSS 8.8
CVE-2022-4093 WRITEUP CRITICAL WRITEUP
Dolibarr 16.0.1 and 16.0.2 - SQL Injection
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. This affect 16.0.1 and 16.0.2 only. 16.0.0 or lower, and 16.0.3 or higher are not affected
CVSS 9.8
CVE-2023-4198 WRITEUP MEDIUM WRITEUP
Dolibarr Erp/crm < 17.0.3 - Missing Authorization
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
CVSS 6.5
CVE-2023-5323 WRITEUP MEDIUM WRITEUP
Dolibarr Erp/crm < 18.0 - XSS
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
CVSS 6.1
CVE-2023-5842 WRITEUP MEDIUM WRITEUP
Dolibarr Erp/crm < 16.0.5 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
CVSS 4.8