CVE-2018-16808

Vulnerability

Dolibarr versions 3.8.x through 7.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the expense reports module, specifically in expensereport/card.php. The comments parameter and both public and private note fields fail to sanitize user input, allowing an attacker to inject arbitrary JavaScript code that is stored and later executed when the affected page is viewed [1][2][3].

Exploitation

An attacker must have valid credentials to log into the Dolibarr instance and navigate to the expense reports feature. From there, the attacker can craft a POST request with malicious JavaScript in the comments parameter or in the public/private note fields. The injected script is stored in the database and rendered without encoding when any user (including administrators) views the expense report, triggering the payload in their browser [1][2].

Impact

Successful exploitation results in stored XSS. The attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, theft of sensitive data, or further actions within the application as the victim. The impact is limited to actions available to the user whose session is compromised [1][3].

Mitigation

According to the reference issue, the vulnerability was addressed by the vendor in a subsequent release after the disclosure. Users should upgrade to a patched version (later than 7.0.0). No workaround other than upgrading is described in the provided references [1][2].