CVE-2017-18259

Vulnerability

Dolibarr ERP/CRM through version 7.0.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The application fails to properly sanitize user-supplied input in multiple parameters, such as leftmenu, type, month_create, and month_start, allowing an attacker to inject arbitrary JavaScript code that is stored and later executed in the context of other users' browsers [2]. This issue affects all installations running a version prior to 7.0.0 [1].

Exploitation

An attacker with authenticated access to the Dolibarr application can exploit this vulnerability by submitting specially crafted input containing JavaScript payloads via parameters like leftmenu or others. The injected script is stored and will be executed when any user, including administrators, views the affected page. For example, submitting ` in the leftmenu` parameter triggers the XSS when the page is loaded [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, theft of sensitive information (such as cookies or authentication tokens), defacement of the application interface, or redirection to malicious websites. The attack can compromise the confidentiality and integrity of user data and the application's state.

Mitigation

The Dolibarr project has addressed this vulnerability in version 7.0.0 and later releases. Users are strongly advised to upgrade to the latest available version to remediate the stored XSS issue. If an upgrade is not immediately possible, administrators should implement strict input validation and output encoding for all user-controlled parameters to mitigate the risk. No workaround is provided in the available references [1][2].