Marko Winkler

**Name of the Vulnerable Software and Affected Versions** Dolibarr versions prior to 19.0.2 **Description** A Reflected Cross-site scripting (XSS) vulnerability is located in htdocs/compta/paiement/card.php, allowing remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the `facid` parameter. **Recommendations** For versions prior to 19.0.2, update to version 19.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable `card.php` file in the `htdocs/compta/paiement` directory until a patch is applied. Avoid using the `facid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Eramba versions 3.22.3 through 3.22.3 **Description** A stored cross-site scripting (XSS) issue in the Filter function allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `filter name` field. **Recommendations** For Eramba version 3.22.3, update to version 3.23.0 to resolve the issue.