Security Research & Advisories

Multiple Reflected & Stored Cross-Site Scripting (XSS) Vulnerabilities in Dolibarr

Product Dolibarr
Affected Version(s) 5.0.3 probably prior
Tested Version(s) 5.0.3
Vulnerability Discovery June 3, 2017
Vendor Notification June 6, 2017
Advisory Publication June 7, 2017 [without technical details]
Vendor Acknowledgment June 18, 2017
Vendor Fix Partially fixed as of 5.0.4
Public Disclosure March 12, 2017
Latest Modification March 12, 2017
CVE Identifier(s) CVE-2017-9838
Product Description Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Credits Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Multiple Reflected & Stored Cross-Site Scripting (XSS)
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: Partially Fixed
Vulnerability Description
The application Dolibarr is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.3 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact None


Reflected XSS

Due to the lack of input validation and output encoding the leftmenu request parameter is affected by a reflected Cross-Site Scripting. When submitting the payload </script><script>alert(document.cookie)</script> in the leftmenu parameter, this input is echoed unmodified in the application's response resulting in a reflected XSS condition.


The following screenshot shows the JavaScript being executed on the client side:

Other affected pages & parameters:

/htdocs/core/ajax/box.php/ #arbitrary supplied URL Parameter


/htdocs/product/stats/card.php #type


/htdocs/holiday/list.php #month_create


/htdocs/holiday/list.php #month_start


/htdocs/holiday/list.php #month_end


Reflected XSS

By changing the request method from POST to GET when adding a new donation, it is possible to bypass Dolibarr’s Anti-XSS mechanism and store a malicious JavaScript in multiple parameters such as:

  • societe
  • lastname
  • firstname
  • address
  • zipcode
  • town
  • email

The following screenshot shows an example with “societe” parameter:

The following screenshot shows the response when visiting the donation ID #5 with previously injected XSS

The following screenshot shows the server’s response displayed in the browser

Note: As of 12th of March 2018, all reflected vulnerabilities have been fixed in version Dolibarr 5.0.4. The stored Cross-Site Scripting have been tested in version 7.0.0 and are still present.