CVE-2017-9838

Vulnerability

Dolibarr ERP/CRM versions before 5.0.4 contain multiple reflected Cross-Site Scripting (XSS) flaws in several pages: index.php (the leftmenu parameter), core/ajax/box.php (via PATH_INFO), product/stats/card.php (the type parameter), holiday/list.php (the month_create, month_start, and month_end parameters), and don/card.php (the societe, lastname, firstname, address, zipcode, town, and email parameters). No authentication is required to reach the vulnerable endpoints in most cases, though some may depend on configuration. [1][2][3]

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the vulnerable parameter. The application echoes the input unmodified without proper output encoding, causing the browser to execute the script. For example, submitting leftmenu=47913%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E in index.php triggers the payload. [3] No special network position beyond standard HTTP access is needed; user interaction is limited to clicking a crafted link.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential stealing, or defacement. The attacker does not gain direct server control but can perform any action the victim user can, potentially accessing or modifying data within the application. [2][3]

Mitigation

The vulnerability is fixed in Dolibarr version 5.0.4, released on 2017-07-03. Users should upgrade to 5.0.4 or later. No official workaround has been provided, but enabling the use of a web application firewall (WAF) to filter malicious inputs may reduce risk. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of April 2025. [2]