CVE-2014-3991

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM version 3.5.3

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files, including index.php, user/index.php, user/logout.php, user/fiche.php, and viewimage.php. The vulnerable parameters include dol use jmobile, dol optimize smallscreen, dol no mouse hover, dol hide topmenu, dol hide leftmenu, mainmenu, leftmenu, email, firstname, job, lastname, login, modulepart, and file.

Recommendations For Dolibarr ERP/CRM version 3.5.3, consider disabling the vulnerable parameters until a patch is available. Restrict access to the affected PHP files to minimize the risk of exploitation. Avoid using the parameters dol use jmobile, dol optimize smallscreen, dol no mouse hover, dol hide topmenu, dol hide leftmenu, mainmenu, leftmenu, email, firstname, job, lastname, login, modulepart, and file in the affected API endpoints until the issue is resolved.