Naxonezo

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP/CRM versions 3.5 through 3.6 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the Business Search (`search nom`) field to (1) `htdocs/societe/societe.php` or (2) `htdocs/societe/admin/societe.php`. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For Dolibarr ERP/CRM versions 3.5 through 3.6, consider disabling the Business Search (`search nom`) field until a patch is available to prevent exploitation. Restrict access to the `htdocs/societe/societe.php` and `htdocs/societe/admin/societe.php` endpoints to minimize the risk of exploitation. Avoid using the `search nom` field in the affected API endpoints until the issue is resolved.