Lucene search

GitHub Advisory DatabaseGHSA-9986-6M4G-25F6

HistoryMay 14, 2022 - 3:23 a.m.

Dolibarr SQL injection vulnerability

2022-05-1403:23:30

CWE-89

GitHub Advisory Database

github.com

dolibarr

sql injection

erp/crm

vulnerability

viewstatut

propal_statut

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

Low

EPSS

0.001

Percentile

39.2%

JSON

Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter).

Affected configurations

Vulners

Node

dolibarrdolibarrRange≤7.0.0

VendorProductVersionCPE
dolibarrdolibarr*cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dolibarr	dolibarr	*	cpe:2.3:a:dolibarr:dolibarr::::::::

References

github.com/advisories/GHSA-9986-6m4g-25f6

nvd.nist.gov/vuln/detail/CVE-2017-18260

www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-010

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

Low

EPSS

0.001

Percentile

39.2%

JSON

Related for GHSA-9986-6M4G-25F6