Chris Oakley

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP CRM versions prior to 23.0.3 **Description** A SQL injection issue exists in the Shipments API Endpoint. The flaw is located within the ` checkValForAPI()` function of the file htdocs/expedition/class/expedition.class.php. Remote attackers can exploit this by manipulating the `fields` argument. This attack requires a high degree of complexity and is considered difficult to execute. **Recommendations** Update to a version later than 23.0.2. As a temporary workaround, restrict access to the Shipments API Endpoint or avoid using the `fields` argument in the ` checkValForAPI()` function until a patch is applied.