[Secure-testing-team] Bug#885320: dolibarr: CVE-2017-14238 CVE-2017-14239 CVE-2017-14240 CVE-2017-14241
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 26 07:11:01 UTC 2017
Source: dolibarr
Version: 3.5.5+dfsg1-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerabilities were published for dolibarr, filling
only one bug for the four CVEs since afaict the common set of
affectedversions to go back to at least 3.5.5+dfsg1-1.
CVE-2017-14238[0]:
| SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM
| version 6.0.0 allows remote attackers to execute arbitrary SQL commands
| via the menuId parameter.
CVE-2017-14239[1]:
| Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM
| 6.0.0 allow remote authenticated users to inject arbitrary web script
| or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip,
| (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors,
| (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14)
| ProfId4, (15) ProfId5, or (16) ProfId6 parameter to
| htdocs/admin/company.php.
CVE-2017-14240[2]:
| There is a sensitive information disclosure vulnerability in
| document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter.
CVE-2017-14241[3]:
| Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0
| allows remote authenticated users to inject arbitrary web script or
| HTML via the Title parameter to htdocs/admin/menus/edit.php.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14238
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14238
[1] https://security-tracker.debian.org/tracker/CVE-2017-14239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14239
[2] https://security-tracker.debian.org/tracker/CVE-2017-14240
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14240
[3] https://security-tracker.debian.org/tracker/CVE-2017-14241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14241
[4] https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548
Regards,
Salvatore
More information about the Secure-testing-team
mailing list