Multiple vulnerabilities in DOLIBARR's ERP CMS
Posted date 24/05/2024
Identificador
INCIBE-2024-0274
Importance
5 - Critical
Affected Resources
ERP CMS, version 9.0.1.
Description
INCIBE has coordinated the publication of 2 vulnerabilities of critical severity affecting ERP CMS, web and open source enterprise management system, version 9.0.1 of DOLLIBAR, which have been discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2024-5314: 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-89.
- CVE-2024-5315: 9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-89.
Solution
There is no reported solution at this time.
Detail
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters:
- CVE-2024-5314: sortorder y sortfield in /dolibarr/admin/dict.php.
- CVE-2024-5315: viewstatut in /dolibarr/commande/list.php.
References list
Etiquetas