Fixed in 6.0.5 2017-12-26 8:11 GMT+01:00 Salvatore Bonaccorso <car...@debian.org>:
> Source: dolibarr > Version: 3.5.5+dfsg1-1 > Severity: grave > Tags: patch security upstream > > Hi, > > the following vulnerabilities were published for dolibarr, filling > only one bug for the four CVEs since afaict the common set of > affectedversions to go back to at least 3.5.5+dfsg1-1. > > CVE-2017-14238[0]: > | SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM > | version 6.0.0 allows remote attackers to execute arbitrary SQL commands > | via the menuId parameter. > > CVE-2017-14239[1]: > | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM > | 6.0.0 allow remote authenticated users to inject arbitrary web script > | or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, > | (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, > | (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14) > | ProfId4, (15) ProfId5, or (16) ProfId6 parameter to > | htdocs/admin/company.php. > > CVE-2017-14240[2]: > | There is a sensitive information disclosure vulnerability in > | document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. > > CVE-2017-14241[3]: > | Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 > | allows remote authenticated users to inject arbitrary web script or > | HTML via the Title parameter to htdocs/admin/menus/edit.php. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-14238 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14238 > [1] https://security-tracker.debian.org/tracker/CVE-2017-14239 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14239 > [2] https://security-tracker.debian.org/tracker/CVE-2017-14240 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14240 > [3] https://security-tracker.debian.org/tracker/CVE-2017-14241 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14241 > [4] https://github.com/Dolibarr/dolibarr/commit/ > d26b2a694de30f95e46ea54ea72cc54f0d38e548 > > Regards, > Salvatore > > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr ------------------------------------------------------------------------------------ Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 ------------------------------------------------------------------------------------ * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
