PT-2014-5658 · Dolibarr · Dolibarr Erp/Crm
Published
2014-07-11
·
Updated
2022-11-17
·
CVE-2014-3991
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Dolibarr ERP/CRM version 3.5.3
Description
The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files, including index.php, user/index.php, user/logout.php, user/fiche.php, and viewimage.php. The vulnerable parameters include
dol use jmobile, dol optimize smallscreen, dol no mouse hover, dol hide topmenu, dol hide leftmenu, mainmenu, leftmenu, email, firstname, job, lastname, login, modulepart, and file.Recommendations
For Dolibarr ERP/CRM version 3.5.3, consider disabling the vulnerable parameters until a patch is available. Restrict access to the affected PHP files to minimize the risk of exploitation. Avoid using the parameters
dol use jmobile, dol optimize smallscreen, dol no mouse hover, dol hide topmenu, dol hide leftmenu, mainmenu, leftmenu, email, firstname, job, lastname, login, modulepart, and file in the affected API endpoints until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dolibarr Erp/Crm