CVE-2011-4802

Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php.

Published: Dec 14, 2011
Updated: Apr 13, 2023
CVE: CVE-2011-4802
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
dolibarr / dolibarr_erp/crm	2.9.0	2.9.0.x
dolibarr / dolibarr_erp/crm	2.8.1	2.8.1.x
dolibarr / dolibarr_erp/crm	-	3.1.0.x
dolibarr / dolibarr_erp/crm	2.6.0	2.6.0.x
dolibarr / dolibarr_erp/crm	3.0.0	3.0.0.x
dolibarr / dolibarr_erp/crm	2.7.1	2.7.1.x
dolibarr / dolibarr_erp/crm	2.6.1	2.6.1.x
dolibarr / dolibarr_erp/crm	2.5.0	2.5.0.x
dolibarr / dolibarr_erp/crm	2.7.0	2.7.0.x
dolibarr / dolibarr_erp/crm	2.8.0	2.8.0.x
dolibarr / dolibarr_erp/crm	3.0.1	3.0.1.x

Vulnerability Database

289,871

CVE-2011-4802