CVE-2018-10095
published 2018-05-22CVE-2018-10095: Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter…
PriorityP352medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
86.99%
99.7th percentile
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | < 7.0.2 | 7.0.2 |
| dolibarr | dolibarr | >= 0 < 7.0.2 | 7.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
otherforuserlogin=<script>alert(document.domain)</script>
- →Look for XSS payloads in the 'foruserlogin' GET/POST parameter on requests to adherents/cartes/carte.php ↗
- →Nuclei-style detection: HTTP 200 response with Content-Type: text/html when injecting XSS payload into foruserlogin parameter
- ·Vulnerability affects Dolibarr versions before 7.0.2 only; patched in 7.0.2 and later ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dolibarr Cross-site scripting (XSS) vulnerability
osv·2022-05-14
CVE-2018-10095 [MEDIUM] Dolibarr Cross-site scripting (XSS) vulnerability
Dolibarr Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
GHSA
Dolibarr Cross-site scripting (XSS) vulnerability
ghsa·2022-05-14
CVE-2018-10095 [MEDIUM] CWE-79 Dolibarr Cross-site scripting (XSS) vulnerability
Dolibarr Cross-site scripting (XSS) vulnerability
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
OSV
CVE-2018-10095: Cross-site scripting (XSS) vulnerability in Dolibarr before 7
osv·2018-05-22·CVSS 6.1
CVE-2018-10095 [MEDIUM] CVE-2018-10095: Cross-site scripting (XSS) vulnerability in Dolibarr before 7
Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
No detection rules found.
Nuclei
Dolibarr <7.0.2 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2018-10095 [MEDIUM] Dolibarr <7.0.2 - Cross-Site Scripting
Dolibarr alert(document.domain)'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4b0a00483046022100c79f4b946851580c4c9e130e20c1d55044c9b8990c568598ef34991a287525e6022100d5ae5d7ba0dd74d7f57ab7573a22db0341b4d5114dddd5bac150227a8d85f279:922c64590222798bb761d5b6d8e72950
http://www.openwall.com/lists/oss-security/2018/05/21/3https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLoghttps://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability/http://www.openwall.com/lists/oss-security/2018/05/21/3https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLoghttps://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability/
2018-05-22
Published