Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-4814 — Cross-site Scripting in ERP CRM

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

5.5%

top 9.79%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Dolibarr ERP CRM

Timeline

PublishedDec 14

Latest updateMay 14

Description

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDdolibarr/dolibarr_erp_crm3.1.0+10

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-843h-x42r-c9r8: Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3↗2022-05-14

▶

CVEList

CVE-2011-4814: Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3↗2011-12-14

▶

💥Exploits & PoCs

Exploit-DB

Dolibarr ERP/CRM 3.1 - Multiple Script URI Cross-Site Scripting Vulnerabilities↗2011-11-23

▶