CVE-2024-23817 — Cross-site Scripting in Dolibarr

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)5 documents4 sources

Severity

6.1MEDIUMNVD

CNA7.1

EPSS

0.6%

top 30.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr Dolibarr ERP CRM

Timeline

PublishedJan 25

Latest updateApr 18

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶Packagistdolibarr/dolibarr18.0.4 — 18.0.7

▶CVEListV5dolibarr/dolibarr= 18.0.4

▶NVDdolibarr/dolibarr_erp_crm18.0.4

🔴Vulnerability Details

GHSA

Dolibarr Application Home Page has HTML injection vulnerability↗2024-04-18

▶

OSV

Dolibarr Application Home Page has HTML injection vulnerability↗2024-04-18

▶

OSV

CVE-2024-23817: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package↗2024-01-25

▶

CVEList

Dolibarr Application Home Page HTML injection vulnerability↗2024-01-25

▶