Multiple vulnerabilities in DOLIBARR's ERP CMS

Posted date 24/05/2024
5 - Critical
Affected Resources

ERP CMS, version 9.0.1.


INCIBE has coordinated the publication of 2 vulnerabilities of critical severity affecting ERP CMS, web and open source enterprise management system, version 9.0.1 of DOLLIBAR, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-5314: 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-89.
  • CVE-2024-5315: 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-89.

There is no reported solution at this time. 


Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters:

  • CVE-2024-5314: sortorder y sortfield in /dolibarr/admin/dict.php.
  • CVE-2024-5315: viewstatut in /dolibarr/commande/list.php.
References list