Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-16197 — Cross-site Scripting in Dolibarr

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 63.78%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Dolibarr Dolibarr ERP CRM

Timeline

PublishedSep 16

Latest updateNov 8

Description

In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Packagistdolibarr/dolibarr< 10.0.2

▶NVDdolibarr/dolibarr_erp_crm10.0.1

🔴Vulnerability Details

GHSA

Cross-site scripting in Dolibarr↗2019-11-08

▶

OSV

Cross-site scripting in Dolibarr↗2019-11-08

▶

CVEList

CVE-2019-16197: In htdocs/societe/card↗2019-09-16

▶

OSV

CVE-2019-16197: In htdocs/societe/card↗2019-09-16

▶

💥Exploits & PoCs

Exploit-DB

Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting↗2019-09-13

▶