Summary
This host is running Dolibarr and is prone to multiple cross site scripting and SQL injection vulnerabilities.
Impact
Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site and to cause SQL Injection attack to gain sensitive information.
Impact Level: Application
Solution
Upgrade to Dolibarr version 3.1RC3 or later
For updates refer to http://www.dolibarr.org/
Insight
The flaws are due to improper validation of user-supplied input - Passed via PATH_INFO to multiple scripts allows attackers to inject arbitrary HTML code.
- Passed via the 'sortfield', 'sortorder', 'sall', 'id' and 'rowid' parameters to multiple scripts, which allows attackers to manipulate SQL queries by injecting arbitrary SQL code.
Affected
Dolibarr version 3.1.0RC and prior
References
Severity
Classification
-
CVE CVE-2011-4802, CVE-2011-4814 -
CVSS Base Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P
Related Vulnerabilities