Medium severity5.4NVD Advisory· Published Jan 15, 2016· Updated May 6, 2026
CVE-2016-1912
CVE-2016-1912
Description
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | <= 3.8.3 | — |
Affected products
1Patches
10d3181324c81FIX #2857, #4291 & #4341 Escape GETPOST alpha data by default
1 file changed · +16 −15
htdocs/core/lib/functions.lib.php+16 −15 modified@@ -1,16 +1,17 @@ <?php -/* Copyright (C) 2000-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org> - * Copyright (C) 2003 Jean-Louis Bergamo <jlb@j1b.org> - * Copyright (C) 2004-2013 Laurent Destailleur <eldy@users.sourceforge.net> - * Copyright (C) 2004 Sebastien Di Cintio <sdicintio@ressource-toi.org> - * Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be> - * Copyright (C) 2004 Christophe Combelles <ccomb@free.fr> - * Copyright (C) 2005-2012 Regis Houssin <regis.houssin@capnetworks.com> - * Copyright (C) 2008 Raphael Bertrand (Resultic) <raphael.bertrand@resultic.fr> - * Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es> - * Copyright (C) 2013 Cédric Salvador <csalvador@gpcsolutions.fr> - * Copyright (C) 2013 Alexandre Spangaro <alexandre.spangaro@gmail.com> - * Copyright (C) 2014-2015 Marcos García <marcosgdf@gmail.com> +/* Copyright (C) 2000-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org> + * Copyright (C) 2003 Jean-Louis Bergamo <jlb@j1b.org> + * Copyright (C) 2004-2013 Laurent Destailleur <eldy@users.sourceforge.net> + * Copyright (C) 2004 Sebastien Di Cintio <sdicintio@ressource-toi.org> + * Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be> + * Copyright (C) 2004 Christophe Combelles <ccomb@free.fr> + * Copyright (C) 2005-2012 Regis Houssin <regis.houssin@capnetworks.com> + * Copyright (C) 2008 Raphael Bertrand (Resultic) <raphael.bertrand@resultic.fr> + * Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es> + * Copyright (C) 2013 Cédric Salvador <csalvador@gpcsolutions.fr> + * Copyright (C) 2013 Alexandre Spangaro <alexandre.spangaro@gmail.com> + * Copyright (C) 2014-2015 Marcos García <marcosgdf@gmail.com> + * Copyright (C) 2016 Raphaël Doursenaud <rdoursenaud@gpcsolutions.fr> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -194,10 +195,10 @@ function GETPOST($paramname,$check='',$method=0) elseif ($check == 'alpha') { $out=trim($out); - // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - if (preg_match('/"/',$out)) $out=''; - else if (preg_match('/\.\.\//',$out)) $out=''; + if (preg_match('/\.\.\//',$out)) $out=''; + // Quotes are dangerous because param in url can close the href= or src= and add javascript functions. + $out = htmlspecialchars($out, ENT_QUOTES); } elseif ($check == 'aZ') {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- packetstormsecurity.com/files/135201/Dolibarr-3.8.3-Cross-Site-Scripting.htmlnvdExploitWEB
- www.information-security.fr/xss-dolibarr-version-3-8-3/nvdExploit
- github.com/Dolibarr/dolibarr/issues/4341nvdExploitWEB
- github.com/advisories/GHSA-jh5p-wpg2-8rgvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-1912ghsaADVISORY
- www.information-security.fr/xss-dolibarr-version-3-8-3ghsaWEB
- github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8nvdWEB
- twitter.com/MickaelDorigny/status/684456187870457857nvdWEB
News mentions
0No linked articles in our index yet.