Multiple vulnerabilities in DOLIBARR's ERP CMS

Posted date 24/05/2024

Importance

5 - Critical

Affected Resources

ERP CMS, version 9.0.1.

Description

INCIBE has coordinated the publication of 2 vulnerabilities of critical severity affecting ERP CMS, web and open source enterprise management system, version 9.0.1 of DOLLIBAR, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

CVE-2024-5314: 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-89.
CVE-2024-5315: 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-89.

Solution

There is no reported solution at this time.

Detail

Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters:

CVE-2024-5314: sortorder y sortfield in /dolibarr/admin/dict.php.
CVE-2024-5315: viewstatut in /dolibarr/commande/list.php.

References list

Open Source ERP y CRM

Etiquetas