Description

Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) sortfield, (2) sortorder, and (3) sall parameters to user/index.php and (b) user/group/index.php; the id parameter to (4) info.php, (5) perms.php, (6) param_ihm.php, (7) note.php, and (8) fiche.php in user/; and (9) rowid parameter to admin/boxes.php.

Remediation

References

CVE-2011-4802

Related Vulnerabilities

WordPress Plugin WordPress Comments Import & Export CSV Injection (2.0.4)

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.21)

Magento Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-8707)

PHP Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2014-8626)

Django Improper Authentication Vulnerability (CVE-2013-1443)

Severity

Medium

Classification

CVE-2011-4802 CWE-138

Tags

Missing Update Known Vulnerabilities