VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 16, 2019· Updated Aug 5, 2024

CVE-2019-16197

CVE-2019-16197

Description

Dolibarr 10.0.1 reflects the User-Agent header into HTML without sanitization, enabling stored/reflected XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dolibarr 10.0.1 reflects the User-Agent header into HTML without sanitization, enabling stored/reflected XSS.

Vulnerability

Details

CVE-2019-16197 describes a cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM version 10.0.1. The vulnerability lies in the file htdocs/societe/card.php, where the value of the User-Agent HTTP header is copied directly into the generated HTML document as plain text between ``. No sanitization or encoding is applied to the header value before output [1][3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious User-Agent header containing JavaScript code. When a victim visits the affected page (e.g., through a crafted link or by being tricked into using a specific user-agent), the browser renders the injected script, executing it in the context of the Dolibarr application. No authentication or special privileges are required for exploitation; the attack surface includes any user who can access the card.php endpoint [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data (e.g., cookies, credentials), or further attacks against the Dolibarr instance and its users [1][3].

Mitigation

The vulnerability was patched in a later commit (c53be23) by implementing proper filtering and sanitization of HTTP header values [4]. Users are advised to upgrade to a fixed version of Dolibarr. As of the publication date, no workaround has been documented, though disabling access to the vulnerable page or employing a web application firewall (WAF) might reduce risk temporarily.

References
  1. Packet Storm
  2. GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
  3. NVD - CVE-2019-16197
  4. FIX Filtering the HTTP Header "Accept-Language". · Dolibarr/dolibarr@c53be23

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dolibarr/dolibarrPackagist
< 10.0.210.0.2

Affected products

2

Patches

1
c53be23122fc

FIX Filtering the HTTP Header "Accept-Language".

https://github.com/dolibarr/dolibarrLaurent DestailleurSep 24, 2019via ghsa
commit
2 files changed · +21 2
  • htdocs/core/class/translate.class.php+3 2 modified
    @@ -88,11 +88,12 @@ public function setDefaultLang($srclang = 'en_US')
 
 		if (empty($srclang) || $srclang == 'auto')
 		{
+			// $_SERVER['HTTP_ACCEPT_LANGUAGE'] can be 'fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,it;q=0.6' but can contains also malicious content
 			$langpref=empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])?'':$_SERVER['HTTP_ACCEPT_LANGUAGE'];
-			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);
+			$langpref=preg_replace("/;([^,]*)/i", "", $langpref);	// Remove the 'q=x.y,' part
 			$langpref=str_replace("-", "_", $langpref);
 			$langlist=preg_split("/[;,]/", $langpref);
-			$codetouse=$langlist[0];
+			$codetouse=preg_replace('/[^_a-zA-Z]/', '', $langlist[0]);
 		}
 		else $codetouse=$srclang;
  • test/phpunit/SecurityTest.php+18 0 modified
    @@ -130,6 +130,24 @@ protected function tearDown()
     	print __METHOD__."\n";
     }
 
+    /**
+     * testSetLang
+     *
+     * @return string
+     */
+    public function testSetLang()
+    {
+    	global $conf;
+    	$conf=$this->savconf;
+
+    	$tmplangs = new Translate('', $conf);
+
+    	$_SERVER['HTTP_ACCEPT_LANGUAGE'] = "' malicious text with quote";
+    	$tmplangs->setDefaultLang('auto');
+    	print __METHOD__.' $tmplangs->defaultlang='.$tmplangs->defaultlang."\n";
+    	$this->assertEquals($tmplangs->defaultlang, 'malicioustextwithquote_MALICIOUSTEXTWITHQUOTE');
+    }
+
     /**
      * testGETPOST
      *

Vulnerability mechanics

Root cause

"Missing output sanitization of the User-Agent HTTP header value before it is embedded into HTML in htdocs/societe/card.php."

Attack vector

An attacker crafts a malicious User-Agent HTTP header containing JavaScript payload. When a victim's browser sends a request to `htdocs/societe/card.php`, the server copies the User-Agent value directly into the HTML output without neutralization [CWE-79] [ref_id=2]. The injected script executes in the victim's browser session within the Dolibarr application context, enabling theft of session cookies, defacement, or other client-side attacks. No authentication is required to trigger the reflection, as the User-Agent header is processed on any request to the vulnerable page.

Affected code

The vulnerability is in `htdocs/societe/card.php` in Dolibarr 10.0.1 [ref_id=2]. The User-Agent HTTP header value is copied into the HTML document as plain text between tags without sanitization [ref_id=2]. The patch also addresses a related issue in `htdocs/core/class/translate.class.php` where the `Accept-Language` header was not sanitized [patch_id=1697142].

What the fix does

The patch in `htdocs/core/class/translate.class.php` adds a `preg_replace('/[^_a-zA-Z]/', '', $langlist[0])` call to strip any non-alphabetic characters from the language code derived from the `Accept-Language` header [patch_id=1697142]. This prevents injection of malicious characters (quotes, brackets, etc.) into the HTML output. The commit message states "FIX Filtering the HTTP Header 'Accept-Language'" [patch_id=1697142]. While the CVE description specifically names the User-Agent header in `card.php`, the patch demonstrates the project's broader approach to sanitizing HTTP header values before they enter HTML output.

Preconditions

  • networkAttacker must be able to send HTTP requests to the Dolibarr instance (no authentication required)
  • networkThe vulnerable page htdocs/societe/card.php must be accessible
  • inputVictim must browse to the page while the attacker-controlled User-Agent is reflected

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.