usd-2019-0052 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3
Advisory ID: usd-2019-0052
CVE Number: CVE-2019-19210
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.3
Vulnerability Type: Stored XSS
Security Risk: High
Vendor URL: https://www.dolibarr.org/
Vendor Status: Fixed (not verified)
An authenticated user can upload a malicious html file as a product document. Even though the file gets the extension „.noexe“, document.php serves files with the content-type „text/html“. This also works with SVG files.
Proof of Concept (PoC)
Request the uploaded document:
Do not serve user files with an content-type that allows the interpretation of HTML, for example use „application/octet-stream“.
- 2019-09-06 Vulnerability discovered by Daniel Hoffmann
- 2019-09-11 First contact with vendor
- 2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)
- 2020-02-05 Security advisory released
This security vulnerability was discovered by Daniel Hoffmann of usd AG.