CVE-2020-13239
published 2020-05-20CVE-2020-13239: The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.70%
48.4th percentile
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr_erp_crm | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dolibarr Stored Cross-site Scripting via file upload
osv·2022-05-24
CVE-2020-13239 [MEDIUM] Dolibarr Stored Cross-site Scripting via file upload
Dolibarr Stored Cross-site Scripting via file upload
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
GHSA
Dolibarr Stored Cross-site Scripting via file upload
ghsa·2022-05-24
CVE-2020-13239 [MEDIUM] CWE-79 Dolibarr Stored Cross-site Scripting via file upload
Dolibarr Stored Cross-site Scripting via file upload
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
OSV
CVE-2020-13239: The DMS/ECM module in Dolibarr 11
osv·2020-05-20·CVSS 5.4
CVE-2020-13239 [MEDIUM] CVE-2020-13239: The DMS/ECM module in Dolibarr 11
The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-05-20
Published