CVE-2015-3935

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM versions 3.5 through 3.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via the Business Search (search nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For Dolibarr ERP/CRM versions 3.5 through 3.6, consider disabling the Business Search (search nom) field until a patch is available to prevent exploitation. Restrict access to the htdocs/societe/societe.php and htdocs/societe/admin/societe.php endpoints to minimize the risk of exploitation. Avoid using the search nom field in the affected API endpoints until the issue is resolved.