Security Research & Advisories

Multiple Stored Cross-Site Scripting Vulnerabilities in Dolibarr CRM

Product Dolibarr
Affected Version(s) 11.0.4 and probably prior
Tested Version(s) 11.0.4
Vendor Notification May 27, 2020
Advisory Publication May 27, 2020 [without technical details]
Vendor Fix N/A
Public Disclosure N/A
Latest Modification May 27, 2020
CVE Identifier(s) CVE-2020-13828
Product Description Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Credits Luis Noriega, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Stored Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The application Dolibarr CRM is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities affecting version 11.0.4 and probably prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.