Dolibarr ERP/CRM cross-site scripting | CVE-2022-2060
NAME
Dolibarr ERP/CRM cross-site scripting
- Platforms Affected:
Dolibarr Dolibarr ERP/CRM 3.0.0
Dolibarr Dolibarr ERP/CRM 3.3.1
Dolibarr Dolibarr ERP/CRM 3.5.3
Dolibarr Dolibarr ERP/CRM 3.9.0
Dolibarr Dolibarr ERP/CRM 4.0.4
Dolibarr Dolibarr ERP/CRM 8.0.3
Dolibarr Dolibarr ERP/CRM 10.0.1
Dolibarr Dolibarr ERP/CRM 11.0.4
Dolibarr Dolibarr ERP/CRM 13.0.2
Dolibarr Dolibarr ERP/CRM 2.8.1
Dolibarr Dolibarr ERP/CRM 3.3.beta1_20121221
Dolibarr Dolibarr ERP/CRM 14.0.1
Dolibarr Dolibarr ERP/CRM 15.0
Dolibarr Dolibarr ERP/CRM 14.0.0 - Risk Level:
9.1 - Exploitability:
High - Consequences:
Cross-Site Scripting
DESCRIPTION
Dolibarr ERP/CRM is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the admin/accountant.php script. A remote authenticated attacker could exploit this vulnerability using the town, name, Accountant code fields to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS 3.0 Information
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Refer to the Dolibarr ERP/CRM GIT Repository for patch, upgrade or suggested workaround information. See References.
- Reference Link:
https://huntr.dev/bounties/2acfc8fe-247c-4f88-aeaa-042b6b8690a0/ - Reference Link:
https://github.com/dolibarr/dolibarr/commit/2b5b9957c3010a5db9d1988c2efe5b209b16b47f
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
