CVE-2018-19799

Vulnerability

Dolibarr ERP/CRM through version 8.0.3 contains a reflected cross-site scripting (XSS) vulnerability in the export functionality. The flaw resides in the /exports/export.php script, where the datatoexport parameter is not properly sanitized before being reflected in the response. An attacker can inject arbitrary JavaScript code via this parameter, which is executed in the context of the victim's browser. The vulnerability is present in all versions up to and including 8.0.3 [3][4].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the datatoexport parameter. The request must include step=2, action=selectfield, field=pj.ref, and page_y=627 as shown in the published proof-of-concept [3][4]. No authentication is required to trigger the XSS, as the vulnerable endpoint is accessible to unauthenticated users. The attacker can then trick a victim into clicking the crafted link, causing the payload to execute in the victim's browser.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of cookie-based authentication credentials, defacement of the application, or redirection to malicious sites. The attacker could also potentially access or modify data within the application, depending on the victim's privileges [3][4].

Mitigation

No official patch or fixed version is mentioned in the available references. Users should monitor the Dolibarr vendor website for updates beyond version 8.0.3. As a workaround, administrators can implement input validation and output encoding for the datatoexport parameter, or restrict access to the export functionality to authenticated users only.