Source: dolibarr Version: 3.5.5+dfsg1-1 Severity: grave Tags: patch security upstream
Hi, the following vulnerabilities were published for dolibarr. CVE-2017-17897[0]: | SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM | version 6.0.4 allows remote attackers to execute arbitrary SQL commands | via the id parameter. CVE-2017-17898[1]: | Dolibarr ERP/CRM version 6.0.4 does not block direct requests to | *.tpl.php files, which allows remote attackers to obtain sensitive | information. CVE-2017-17899[2]: | SQL injection vulnerability in adherents/subscription/info.php in | Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute | arbitrary SQL commands via the rowid parameter. CVE-2017-17900[3]: | SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM | version 6.0.4 allows remote attackers to execute arbitrary SQL commands | via the socid parameter. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17897 [1] https://security-tracker.debian.org/tracker/CVE-2017-17898 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17898 [2] https://security-tracker.debian.org/tracker/CVE-2017-17899 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17899 [3] https://security-tracker.debian.org/tracker/CVE-2017-17900 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17900 In one case the code moved from subscriptions_info.php to subscriptions/info.php, still decided to fill one bug report for the four CVEs since set of fixes and affected versions are same. If I was wrong on this regard, please clone the bug and adjust affected versions as needed for the BTS. Regards, Salvatore