CVE-2020-13239

Name of the Vulnerable Software and Affected Versions Dolibarr version 11.0.4

Description The issue concerns the DMS/ECM module, which renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link, leading to a Cross-Site Scripting (XSS) issue.

Recommendations For Dolibarr version 11.0.4, consider disabling the rendering of user-uploaded .html files in the browser as a temporary workaround until a patch is available. Restrict access to the DMS/ECM module to minimize the risk of exploitation. Avoid removing the attachment parameter from direct download links for .html files until the issue is resolved.