VYPR
← All advisories
Moderate severityOSV Advisory· Published Jan 3, 2019· Updated Aug 5, 2024

CVE-2018-19992

CVE-2018-19992

Description

Stored XSS in Dolibarr 8.0.2 allows authenticated users to inject arbitrary HTML/JS via address or town fields in adherents/type.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Dolibarr 8.0.2 allows authenticated users to inject arbitrary HTML/JS via address or town fields in adherents/type.php.

Vulnerability

Stored cross-site scripting (XSS) vulnerability in Dolibarr version 8.0.2. The address and town POST parameters in adherents/type.php are not properly sanitized. The application uses GETPOST('address','alpha') and GETPOST('town','alpha') which only allow alphabetic characters but do not strip HTML tags, allowing injection of arbitrary web script or HTML. [1][2]

Exploitation

An attacker must be a remote authenticated user with access to the member type editing functionality. The attacker sends a POST request to adherents/type.php with malicious payload in the address or town parameter. The payload is stored and executed when other users view the affected page. No additional privileges or user interaction beyond viewing the page is required. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored, affecting all users who view the compromised member type. [2]

Mitigation

The fix was implemented in commit 0f06e39 [3] by changing the filter from 'alpha' to 'alphanohtml' which strips HTML tags. Users should upgrade to a version containing this fix (e.g., Dolibarr 8.0.3 or later). If upgrading is not possible, restrict access to the member type management pages to trusted users only. [3]

References
  1. GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
  2. NVD - CVE-2018-19992
  3. FIX CVE-2018-19992 · Dolibarr/dolibarr@0f06e39

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dolibarr/dolibarrPackagist
< 8.0.48.0.4

Affected products

2

Patches

1
0f06e39d2363

FIX CVE-2018-19992

https://github.com/dolibarr/dolibarrLaurent DestailleurDec 22, 2018via ghsa
commit
2 files changed · +6 6
  • htdocs/adherents/card.php+3 3 modified
    @@ -951,14 +951,14 @@ function initfieldrequired()
 
 		// Address
 		print '<tr><td class="tdtop">'.$langs->trans("Address").'</td><td>';
-		print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(GETPOST('address','alpha')?GETPOST('address','alpha'):$object->address).'</textarea>';
+		print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(GETPOST('address','alphanohtml')?GETPOST('address','alphanohtml'):$object->address).'</textarea>';
 		print '</td></tr>';
 
 		// Zip / Town
 		print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
-		print $formcompany->select_ziptown((GETPOST('zipcode','alpha')?GETPOST('zipcode','alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6);
+		print $formcompany->select_ziptown((GETPOST('zipcode','alphanohtml')?GETPOST('zipcode','alphanohtml'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6);
 		print ' ';
-		print $formcompany->select_ziptown((GETPOST('town','alpha')?GETPOST('town','alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
+		print $formcompany->select_ziptown((GETPOST('town','alphanohtml')?GETPOST('town','alphanohtml'):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
 		print '</td></tr>';
 
 		// Country
  • htdocs/adherents/type.php+3 3 modified
    @@ -42,7 +42,7 @@
 $search_lastname	= GETPOST('search_lastname','alpha');
 $search_login		= GETPOST('search_login','alpha');
 $search_email		= GETPOST('search_email','alpha');
-$type				= GETPOST('type','alpha');
+$type				= GETPOST('type','intcomma');
 $status				= GETPOST('status','alpha');
 
 $limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit;
@@ -59,8 +59,8 @@
 $label=GETPOST("label","alpha");
 $subscription=GETPOST("subscription","int");
 $vote=GETPOST("vote","int");
-$comment=GETPOST("comment");
-$mail_valid=GETPOST("mail_valid");
+$comment=GETPOST("comment",'alphanohtml');
+$mail_valid=GETPOST("mail_valid",'none');
 
 // Security check
 $result=restrictedArea($user,'adherent',$rowid,'adherent_type');

Vulnerability mechanics

Root cause

"Missing HTML sanitization on the `address` and `town` POST parameters allows stored cross-site scripting."

Attack vector

A remote authenticated attacker sends a POST request to `adherents/type.php` with malicious JavaScript embedded in the `address` or `town` parameter [ref_id=2]. The input is stored without HTML sanitization because the `GETPOST` call used the `'alpha'` filter, which permits HTML tags [CWE-79]. When an administrator or other user views the member record, the injected script executes in their browser session.

Affected code

The vulnerable parameters are `address` and `town` in `htdocs/adherents/type.php` and `htdocs/adherents/card.php`. The `GETPOST` calls for these fields used the `'alpha'` filter, which does not strip HTML tags, allowing stored XSS injection [patch_id=1701097].

What the fix does

The patch changes the `GETPOST` filter from `'alpha'` to `'alphanohtml'` for the `address`, `zipcode`, and `town` parameters in `htdocs/adherents/card.php`, and for `comment` in `htdocs/adherents/type.php` [patch_id=1701097]. The `'alphanohtml'` filter strips HTML tags from the input, preventing stored XSS. The `type` parameter was also changed to `'intcomma'` to restrict it to integer values.

Preconditions

  • authAttacker must be an authenticated user of Dolibarr
  • authAttacker must have access to the member management (adherents) interface
  • configApplication must be Dolibarr version 8.0.2

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.