{"url":"http://public2.vulnerablecode.io/api/packages/58627?format=json","purl":"pkg:composer/dolibarr/dolibarr@2.8.1","type":"composer","namespace":"dolibarr","name":"dolibarr","version":"2.8.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.8.3","latest_non_vulnerable_version":"21.0.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41289?format=json","vulnerability_id":"VCID-651j-rw3n-kkgu","summary":"Incorrect Authorization\nDolibarr applications do not restrict, or incorrectly restricts, access to a resource from an unauthorized actor. A low privileged attacker can modify the `Private Note` which only an administrator should have rights to do, the affected field is in the `/adherents/note.php?id=1` endpoint.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25954","reference_id":"CVE-2021-25954","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25954"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58629?format=json","purl":"pkg:composer/dolibarr/dolibarr@13.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.5"}],"aliases":["CVE-2021-25954"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-651j-rw3n-kkgu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41314?format=json","vulnerability_id":"VCID-6nme-3afj-qfdp","summary":"Cross-site Scripting\nIn the editor module of the Dolibarr editor scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25955","reference_id":"CVE-2021-25955","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25955"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58707?format=json","purl":"pkg:composer/dolibarr/dolibarr@13.0.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3"}],"aliases":["CVE-2021-25955"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6nme-3afj-qfdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41323?format=json","vulnerability_id":"VCID-yup5-ztvt-cfgp","summary":"Weak Password Recovery Mechanism for Forgotten Password\nDolibarr is vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25957","reference_id":"CVE-2021-25957","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25957"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58707?format=json","purl":"pkg:composer/dolibarr/dolibarr@13.0.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3"}],"aliases":["CVE-2021-25957"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yup5-ztvt-cfgp"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@2.8.1"}