CVE-2020-13828

Name of the Vulnerable Software and Affected Versions Dolibarr version 11.0.4

Description The issue concerns multiple stored Cross-Site Scripting (XSS) vulnerabilities. These could allow remote authenticated attackers to inject arbitrary web script or HTML. This can be done via several API endpoints, including "ticket/card.php?action=create" with the subject, message, or address parameter, "adherents/card.php" with the societe or address parameter, "product/card.php" with the label or customcode parameter, or "societe/card.php" with the alias or barcode parameter.

Recommendations For Dolibarr version 11.0.4, update to a version that includes a fix for these stored XSS vulnerabilities. As a temporary workaround, consider restricting access to the affected API endpoints, such as "ticket/card.php?action=create", "adherents/card.php", "product/card.php", and "societe/card.php", to minimize the risk of exploitation. Additionally, limit the use of vulnerable parameters like subject, message, address, societe, label, customcode, alias, and barcode in these endpoints until a patch is available.