CVE-2017-9838

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM versions prior to 5.0.4

Description The issue concerns multiple reflected Cross-Site Scripting (XSS) vulnerabilities. The affected API endpoints and parameters include: "index.php" with the leftmenu parameter, "core/ajax/box.php" with the PATH INFO, "product/stats/card.php" with the type parameter, "holiday/list.php" with the month create, month start, and month end parameters, and "don/card.php" with the societe, lastname, firstname, address, zipcode, town, and email parameters.

Recommendations For versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until the update is applied. Avoid using the specified parameters in the affected endpoints until the issue is resolved.