CVE-2019-11199

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM version 9.0.1

Description The issue concerns stored XSS within uploaded files, allowing the execution of a JavaScript payload when a user clicks on a malicious link hosted on the same domain. This could be exploited by low-privileged users to target administrators. The viewimage.php page is specifically vulnerable due to the lack of contextual output encoding, displaying the content of uploaded files with a user-requested MIME type.

Recommendations For Dolibarr ERP/CRM version 9.0.1, consider implementing proper output encoding for the viewimage.php page to prevent the execution of malicious scripts. As a temporary workaround, restrict access to uploading files or limit the types of files that can be uploaded to minimize the risk of exploitation.