Dolibarr Erp Crm
CVE-2024-23817
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.
AnalysisAI
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML. Affected products include: Dolibarr Dolibarr Erp\/Crm. Version information: Version 18.0.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Dolibarr Erp Crm
View allAn issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a cra
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instea
Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. Rated critical severit
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. Rated critical s
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or pe
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. Ra
Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. Rated critical severity (CVSS 9.8), this vulnerability is r
The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mecha
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attem
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. Rated critical severity (CVSS 9
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today