CVE-2019-16688 — Cross-site Scripting in ERP CRM

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 61.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr ERP CRM

Timeline

PublishedSep 27

Latest updateMay 24

Description

Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDdolibarr/dolibarr_erp_crm9.0.5

🔴Vulnerability Details

GHSA

Dolibarr stored Cross-site Scripting in an Email Template section↗2022-05-24

▶

OSV

Dolibarr stored Cross-site Scripting in an Email Template section↗2022-05-24

▶

CVEList

CVE-2019-16688: Dolibarr 9↗2019-09-27

▶

OSV

CVE-2019-16688: Dolibarr 9↗2019-09-27

▶