Scan free
CRITICALCVE-2024-5315CVSS 9.1

CVE-2024-5315: SQL Injection in Dolibarr ERP - CRM

Platform

php

Component

dolibarr/dolibarr

Fixed in

9.0.2

9.0.2

AI Confidence: highNVDEPSS 63.0%Reviewed: May 2026
View on NVD
Save

CVE-2024-5315 represents a critical SQL injection vulnerability discovered in Dolibarr ERP - CRM. This flaw allows a remote attacker to craft malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions of Dolibarr ERP - CRM up to and including 9.0.1. A patch is available in version 9.0.2.

Impact and Attack Scenarios

The impact of CVE-2024-5315 is severe. Successful exploitation allows an attacker to inject arbitrary SQL code into database queries through the /dolibarr/commande/list.php endpoint. This can lead to complete compromise of the database, including sensitive customer data, financial records, and system configurations. An attacker could potentially extract, modify, or delete data, leading to significant business disruption and reputational damage. The ability to execute arbitrary SQL also opens the door to privilege escalation and potentially gaining control of the underlying server. This vulnerability shares characteristics with other SQL injection attacks, where attackers leverage database vulnerabilities to gain unauthorized access.

Exploitation Context

CVE-2024-5315 was publicly disclosed on 2024-05-24. The vulnerability is considered critical due to the potential for complete data compromise. No public proof-of-concept exploits have been widely reported as of this writing, but the ease of SQL injection exploitation suggests that it is likely to become a target. The EPSS score is likely to be medium to high, given the severity and relatively straightforward nature of the vulnerability. Check CISA and NVD for updates on exploitation activity.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

63.03% (98% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentdolibarr/dolibarr
Vendorosv
Affected rangeFixed in
9.0.1 – 9.0.19.0.2
9.0.19.0.2

Package Information

Last updated
15.0.346 months ago

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched -1873 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-5315 is to immediately upgrade Dolibarr ERP - CRM to version 9.0.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization on the /dolibarr/commande/list.php endpoint can help reduce the attack surface, although this is not a substitute for patching. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Monitor Dolibarr logs for suspicious SQL queries and unusual database activity. After upgrading, verify the fix by attempting a SQL injection attack on the /dolibarr/commande/list.php endpoint and confirming that the attack is blocked.

How to fix

Update Dolibarr ERP CMS to a version later than 9.0.1 that fixes the (SQL Injection) vulnerability. Refer to the official Dolibarr website for the latest version and upgrade instructions. Apply security updates as soon as they are available.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-5315 — SQL Injection in Dolibarr ERP - CRM?

CVE-2024-5315 is a critical SQL Injection vulnerability in Dolibarr ERP - CRM versions up to 9.0.1, allowing attackers to inject malicious SQL queries and potentially access sensitive data.

Am I affected by CVE-2024-5315 in Dolibarr ERP - CRM?

You are affected if you are running Dolibarr ERP - CRM version 9.0.1 or earlier. Upgrade to version 9.0.2 or later to mitigate the risk.

How do I fix CVE-2024-5315 in Dolibarr ERP - CRM?

The recommended fix is to upgrade Dolibarr ERP - CRM to version 9.0.2 or later. Temporary workarounds include input validation and WAF rules.

Is CVE-2024-5315 being actively exploited?

While no widespread exploitation has been confirmed, the ease of SQL injection exploitation suggests it is likely to become a target. Monitor your systems for suspicious activity.

Where can I find the official Dolibarr advisory for CVE-2024-5315?

Refer to the official Dolibarr security advisory for detailed information and updates: [https://www.dolibarr.org/security/](https://www.dolibarr.org/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs