Erwan Robin

**Name of the Vulnerable Software and Affected Versions** Dolibarr versions prior to 7.0.1 **Description** The issue concerns Stored XSS in the expense reports plugin. It occurs via the `comments` parameter, or a public or private note, in the expensereport/card.php file. **Recommendations** For versions prior to 7.0.1, update to version 7.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the expensereport/card.php file or disabling the expense reports plugin until a patch is available. Avoid using the `comments` parameter in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Dolibarr versions prior to 7.0.1 **Description** An issue was discovered in the expense reports module, specifically in expensereport/card.php, which allows SQL injection via the integer parameters `qty` and `value unit`. **Recommendations** For versions prior to 7.0.1, update to version 7.0.1 or later to resolve the issue.