CVE-2017-1000509
Description
Dolibarr 6.0.2 contains a stored XSS vulnerability in the product details page that allows execution of arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr 6.0.2 contains a stored XSS vulnerability in the product details page that allows execution of arbitrary JavaScript.
Vulnerability
Dolibarr version 6.0.2 contains a stored Cross-Site Scripting (XSS) vulnerability in the product details page (product/card.php). The flaw resides in the product name field, where the input sanitization fails to detect certain XSS payloads, allowing malicious scripts to be saved and later executed [3]. Any user with permission to edit a product's name can exploit this [3].
Exploitation
An attacker must have a valid Dolibarr account with privileges to modify product details [3]. The attacker logs in, navigates to a product, clicks the modify button, and appends a crafted XSS payload (e.g., <iframe/src="data:text/html;	base64	,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">) to the product's name [3]. The payload bypasses the built-in XSS detector and is stored in the database. When any user visits the product page, the payload executes in their browser [3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, theft of sensitive data, or other malicious actions performed on behalf of the authenticated victim [3]. The attack does not escalate to server-side code execution but compromises the confidentiality and integrity of affected user sessions.
Mitigation
No official patch has been released for this version. As of the available references, the suggested mitigation is to upgrade to a later Dolibarr version that includes improved XSS filtering [3]. Administrators should restrict product edit permissions to trusted users and review the input validation mechanisms. The vulnerability is not listed in the CISA KEV as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 7.0.0 | 7.0.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The XSS detection filter fails to neutralize a crafted payload using `	` and base64-encoded data URIs within an iframe tag, allowing stored cross-site scripting via the product name field."
Attack vector
An attacker with privileges to edit product details can inject a stored XSS payload into the product name field [ref_id=2]. The payload `
Affected code
The vulnerability exists in the product detail editing functionality, specifically in the file `product/card.php` [ref_id=2]. The product name field is not properly sanitized before being stored and later rendered in the page, allowing stored XSS payloads to bypass the existing XSS detection filter [ref_id=2][ref_id=3].
What the fix does
No patch is included in the bundle. The advisory [ref_id=2][ref_id=3] recommends changing the XSS detector to recognize payloads that use alternate encodings such as `	` and `base64` inside `data:` URIs within iframe `src` attributes. The fix would involve improving input sanitization to catch these bypass patterns before the product name is saved to the database.
Preconditions
- authAttacker must have a Dolibarr account with permission to edit product details
- inputTarget product must exist or be creatable
- networkApplication must be reachable over HTTP/HTTPS
Reproduction
1. Log into Dolibarr with a user who can edit the name of a product. 2. Choose a product and click the "modify details" button. 3. Append the following payload to the product's current name: `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-hqfh-p9h7-m6v5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000509ghsaADVISORY
- github.com/Dolibarr/dolibarr/issues/7727ghsax_refsource_CONFIRMWEB
- github.com/Dolibarr/dolibarr/issues/7727ghsaWEB
News mentions
0No linked articles in our index yet.