CVE-2019-1010016

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability resides in the htdocs/product/stats/card.php component of Dolibarr ERP/CRM version 6.0.4. The root cause is improper validation of the id parameter passed through the GETPOST('id') function. When this unsanitized input is directly echoed into the page output, an attacker can inject arbitrary HTML and JavaScript code [2][3].

Exploitation

The attack requires the victim to click a specially crafted link sent by the attacker. The link contains a malicious payload within the id parameter. For example, a crafted URL like ?id=lol"> results in the script being executed in the victim's browser context [3]. No authentication or special privileges are needed for the attacker to craft the payload, but user interaction (clicking) is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's session. This can be used to steal session cookies, exfiltrate sensitive data displayed on the page, or perform actions on behalf of the victim within the Dolibarr application [2]. Since Dolibarr is an ERP/CRM system handling contacts, invoices, orders, and financial data, cookie theft could lead to significant data breach or account takeover.

Mitigation

As of the available information, Dolibarr 6.0.4 is affected. Users should upgrade to a patched version if available; the project is actively maintained [1]. Administrators should also consider implementing generic web application security measures (e.g., input validation, output encoding, Content Security Policy) as a defense-in-depth approach.