CVE-2018-9019

Name of the Vulnerable Software and Affected Versions Dolibarr versions prior to 7.0.2

Description The issue allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to "/accountancy/admin/accountmodel.php", "/accountancy/admin/categories list.php", "/accountancy/admin/journals list.php", "/admin/dict.php", "/admin/mails templates.php", or "/admin/website.php". This is due to a lack of protection for the SQL query structure.

Recommendations For versions prior to 7.0.2, update to version 7.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the sortfield parameter in the affected API endpoints until the issue is resolved.