CVE-2020-7994

Name of the Vulnerable Software and Affected Versions Dolibarr version 10.0.6

Description Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various parameters to different pages, including the label[libelle] parameter to the "/htdocs/admin/dict.php?id=3" page, the name[constname] parameter to the "/htdocs/admin/const.php?mainmenu=home" page, the note[note] parameter to the "/htdocs/admin/dict.php?id=10" page, the zip[MAIN INFO SOCIETE ZIP] or email[mail] parameter to the "/htdocs/admin/company.php" page, the url[defaulturl], field[defaultkey], or value[defaultvalue] parameter to the "/htdocs/admin/defaultvalues.php" page, the key[transkey] or key[transvalue] parameter to the "/htdocs/admin/translation.php" page, or the [main motd] or [main home] parameter to the "/htdocs/admin/ihm.php" page.

Recommendations As a temporary workaround, consider disabling access to the vulnerable API endpoints until a patch is available. Restrict input for the label[libelle], name[constname], note[note], zip[MAIN INFO SOCIETE ZIP], email[mail], url[defaulturl], field[defaultkey], value[defaultvalue], key[transkey], key[transvalue], [main motd], and [main home] parameters to prevent arbitrary web script or HTML injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.