CVE-2019-19210

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM versions prior to 10.0.3

Description The issue allows for XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files. This occurs due to the improper handling of uploaded files, specifically HTML documents, which are still served with a text/html content type even after being renamed with a .noexe extension.

Recommendations For versions prior to 10.0.3, update to version 10.0.3 or later to resolve the issue. As a temporary workaround, consider restricting the upload of HTML documents or ensuring that such files are properly sanitized and served with an appropriate content type to prevent XSS exploitation.