ERP

In Dolibarr ERP/CRM version 6.0.0 a medium severity vulnerability CVE-2017-14240 was detected. This vulnerability allows attackers to access sensitive information due to a flaw in the document.php file via the file parameter. To address this issue, users should upgrade Dolibarr ERP/CRM to version 6.0.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2017-14240.

In Dolibarr ERP/CRM versions before 5.0.3 a high severity vulnerability CVE-2017-9435 was detected. This vulnerability allows attackers to execute arbitrary SQL commands due to a SQL injection flaw in the search_supervisor and search_statut parameters within the user/index.php file. To address this issue, users should upgrade Dolibarr ERP/CRM to version 5.0.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2017-9435.

In Dolibarr ERP/CRM version 3.8.3 a low severity vulnerability CVE-2016-1912 was detected. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the lastname, firstname, email, job, or signature parameters to htdocs/user/card.php, leading to Cross-Site Scripting (XSS). To address this issue, users should upgrade Dolibarr ERP/CRM to versions 3.8.3 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2016-1912.

In Dolibarr versions prior to 23.0.0 a critical severity vulnerability CVE-2026-23500 was detected. This vulnerability allows authenticated administrators to inject arbitrary OS commands and achieve remote code execution (RCE) as the web server user by manipulating the MAIN_ODT_AS_PDF configuration constant during the ODT to PDF conversion process. To address this issue, users should upgrade Dolibarr to version 23.0.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23500.

In Dolibarr ERP/CRM versions prior to 23.0.2 a high vulnerability CVE-2026-22666 allows authenticated administrators to achieve remote code execution through the dol_eval_standard() function. The function fails to properly enforce forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax, allowing attackers to inject malicious payloads via computed extrafields or other evaluation paths. To address this issue, users should upgrade Dolibarr to version 23.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22666.

In Dolibarr versions 22.0.4 and prior a medium severity vulnerability CVE-2026-34036 was detected. This vulnerability allows an authenticated user with no specific privileges to read arbitrary non-PHP files on the server (e.g., .env, .htaccess, configuration backups, logs) by exploiting a Local File Inclusion (LFI) flaw in the `/core/ajax/selectobject.php` endpoint via the `objectdesc` parameter and a fail-open logic in the `restrictedArea()` access control function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34036.

In Dolibarr ERP/CRM version 10.0.1 a high severity vulnerability CVE-2019-25450 was detected. This vulnerability allows authenticated attackers to execute arbitrary SQL queries via POST parameters such as `actioncode`, `demand_reason_id`, and `availability_id` in the `card.php` endpoint, potentially exposing sensitive database information through boolean-based blind, error-based, or time-based blind SQL injection techniques. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-25450.

In Dolibarr versions up to and including 11.0.3 a medium severity vulnerability CVE-2020-36966 was detected. This vulnerability allows attackers to inject malicious scripts via the LDAP synchronization settings, specifically through the `host`, `slave`, and `port` parameters in `/dolibarr/admin/ldap.php`, potentially enabling arbitrary JavaScript execution and theft of user cookie information. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2020-36966.

In Dolibarr ERP/CRM versions up to and including 3.1.1 and 3.2.0 a critical severity vulnerability CVE-2012-10059 was detected. This vulnerability allows authenticated attackers to execute arbitrary system commands via the database backup feature, due to improper sanitization of the sql_compat parameter in the export.php script. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2012-10059.