CVE-2021-25955

Name of the Vulnerable Software and Affected Versions Dolibarr ERP CRM versions 2.8.1 through 13.0.2

Description The issue is related to a stored XSS vulnerability in the WYSIWYG Editor module. This vulnerability allows low-privileged application users to store malicious scripts in the Private Note field at the "/adherents/note.php?id=1" endpoint. When a victim opens the page containing the vulnerable field, the scripts are executed in their browser. In the worst-case scenario, the victim could be a highly privileged administrator, and the injected scripts can extract the Session ID, leading to full account takeover. Additionally, due to another vulnerability (Improper Access Control on Private notes), a low-privileged user can update private notes, which could lead to privilege escalation.

Recommendations For versions 2.8.1 through 13.0.2, as a temporary workaround, consider disabling the WYSIWYG Editor module until a patch is available. Restrict access to the "/adherents/note.php?id=1" endpoint to minimize the risk of exploitation. Avoid using the Private Note field in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.