CVE-2017-9838 — Cross-site Scripting in ERP CRM

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 59.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr ERP CRM Dolibarr

Timeline

PublishedApr 11

Latest updateMay 14

Description

Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu parameter), core/ajax/box.php (PATH_INFO), product/stats/card.php (type parameter), holiday/list.php (month_create, month_start, and month_end parameters), and don/card.php (societe, lastname, firstname, address, zipcode, town, and email parameters).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶Packagistdolibarr/dolibarr< 5.0.4

▶NVDdolibarr/dolibarr_erp_crm< 5.0.4

🔴Vulnerability Details

OSV

Dolibarr Cross-Site Scripting (XSS) vulnerability↗2022-05-14

▶

GHSA

Dolibarr Cross-Site Scripting (XSS) vulnerability↗2022-05-14

▶

CVEList

CVE-2017-9838: Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5↗2018-04-11

▶

OSV

CVE-2017-9838: Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5↗2018-04-11

▶