Cross-site Scripting (XSS) - Reflected in dolibarr/dolibarr

Valid

Reported on

Jul 25th 2021

Description

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts.

Proof of Concept

Payload:

http://localhost/dolibarr/htdocs/comm/action/list.php?action=show_list&actioncode=0&filtert=-1&mainmenu=agenda&status=aaaaaaaaaa%27;alert(%27hacked%27);//

Impact

XSS can have huge implications for a web application and its users. User accounts can be hijacked, change the html screen and insult the organization. Credentials could be stolen, sensitive data could be exfiltrated, and lastly, access to your client computers can be obtained.

We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago
Laurent Destailleur validated this vulnerability 2 years ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur marked this as fixed with commit 505543 2 years ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation