usd-2019-0052 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3

Advisory ID: usd-2019-0052
CVE Number: CVE-2019-19210
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.3
Vulnerability Type: Stored XSS
Security Risk: High
Vendor URL:
Vendor Status: Fixed (not verified)


An authenticated user can upload a malicious html file as a product document. Even though the file gets the extension „.noexe“, document.php serves files with the content-type „text/html“. This also works with SVG files.

Proof of Concept (PoC)



Request the uploaded document:



Do not serve user files with an content-type that allows the interpretation of HTML, for example use „application/octet-stream“.


  • 2019-09-06 Vulnerability discovered by Daniel Hoffmann
  • 2019-09-11 First contact with vendor
  • 2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)
  • 2020-02-05 Security advisory released


This security vulnerability was discovered by Daniel Hoffmann of usd AG.