{"id":16625,"date":"2021-07-08T11:39:17","date_gmt":"2021-07-08T09:39:17","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0052\/"},"modified":"2021-07-19T14:12:15","modified_gmt":"2021-07-19T12:12:15","slug":"usd-2019-0052","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0052\/","title":{"rendered":"usd-2019-0052"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2019-0052 | Dolibarr ERP\/CRM ver. 3.0 \u2013 10.0.3<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2019-0052<\/span><br \/><strong>CVE Number<\/strong><span>: CVE-2019-19210<\/span><br \/><strong>Affected Product<\/strong><span>: Dolibarr ERP\/CRM<\/span><br \/><strong>Affected Version<\/strong><span>: 3.0 \u2013 10.0.3<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Stored XSS<\/span><br \/><strong>Security Risk<\/strong><span>: High<\/span><br \/><strong>Vendor URL<\/strong><span>: <a href=\"https:\/\/www.dolibarr.org\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.dolibarr.org\/<\/a><\/span><br \/><strong>Vendor Status<\/strong><span>: Fixed (not verified)<\/span><\/p>\n<h3><\/h3>\n<h3>Description<\/h3>\n<p><span>An authenticated user can upload a malicious html file as a product document. Even though the file gets the extension \u201e.noexe\u201c, document.php serves files with the content-type \u201etext\/html\u201c. This also works with SVG files.<\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p><span>test.html:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]&lt;html&gt;<br \/>\n&lt;body&gt;<br \/>\n  &lt;script&gt;alert(\"XSS\")&lt;\/script&gt;<br \/>\n&lt;\/body&gt;<br \/>\n&lt;\/html&gt;<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<p><span>Request the uploaded document:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]\/dolibarr\/htdocs\/document.php?modulepart=produit&amp;amp;entity=1&amp;amp;attachment=0&amp;amp;file=1234%2F1234-test.html.noexe<\/code><\/pre>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>Do not serve user files with an content-type that allows the interpretation of HTML, for example use \u201eapplication\/octet-stream\u201c.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2019-09-06 Vulnerability discovered by Daniel Hoffmann<\/li>\n<li>2019-09-11 First contact with vendor<\/li>\n<li>2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)<\/li>\n<li>2020-02-05 Security advisory released<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerability was discovered by Daniel Hoffmann of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2019-0052 | Dolibarr ERP\/CRM ver. 3.0 \u2013 10.0.3 Advisory ID: usd-2019-0052CVE Number: CVE-2019-19210Affected Product: Dolibarr ERP\/CRMAffected Version: 3.0 \u2013 10.0.3Vulnerability Type: Stored XSSSecurity Risk: HighVendor URL: https:\/\/www.dolibarr.org\/Vendor Status: Fixed (not verified) Description An authenticated user can upload a malicious html file as a product document. Even though the file gets the extension \u201e.noexe\u201c, document.php serves [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16625","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16625","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16625"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16625\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16625"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}