CVE-2019-17576

Name of the Vulnerable Software and Affected Versions Dolibarr version 10.0.2

Description The issue is related to a security problem where an attacker can inject malicious code. This is possible through the "outgoing email setup" feature, specifically in the "/admin/mails.php?action=edit" API endpoint, by manipulating the "Send all emails to (instead of real recipients, for test purposes)" field and the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.

Recommendations For Dolibarr version 10.0.2, as a temporary workaround, consider restricting access to the "/admin/mails.php?action=edit" API endpoint until a patch is available. Avoid using the "Send all emails to (instead of real recipients, for test purposes)" and "Email used for error returns emails (fields 'Errors-To' in emails sent)" fields in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.