Dolibarr Multiple Cross Site Scripting And SQL Injection Vulnerabilities Network Vulnerability

Summary

This host is running Dolibarr and is prone to multiple cross site scripting and SQL injection vulnerabilities.

Impact

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site and to cause SQL Injection attack to gain sensitive information. Impact Level: Application

Solution

Upgrade to Dolibarr version 3.1RC3 or later For updates refer to http://www.dolibarr.org/

Insight

The flaws are due to improper validation of user-supplied input - Passed via PATH_INFO to multiple scripts allows attackers to inject arbitrary HTML code. - Passed via the 'sortfield', 'sortorder', 'sall', 'id' and 'rowid' parameters to multiple scripts, which allows attackers to manipulate SQL queries by injecting arbitrary SQL code.

Affected

Dolibarr version 3.1.0RC and prior

References

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4802, CVE-2011-4814
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

Related Vulnerabilities

Dolibarr Multiple Cross Site Scripting and SQL Injection Vulnerabilities

Take action and discover your vulnerabilities