CVE-2017-14239

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM version 6.0.0

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via multiple parameters to the htdocs/admin/company.php endpoint. The vulnerable parameters include CompanyName, CompanyAddress, CompanyZip, CompanyTown, Fax, EMail, Web, ManagingDirectors, Note, Capital, ProfId1, ProfId2, ProfId3, ProfId4, ProfId5, and ProfId6.

Recommendations For Dolibarr ERP/CRM version 6.0.0, as a temporary workaround, consider restricting access to the htdocs/admin/company.php endpoint until a patch is available. Avoid using the vulnerable parameters in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.