CVE-2019-16685

Vulnerability

Overview

CVE-2019-16685 is a stored cross-site scripting (XSS) vulnerability in Dolibarr ERP & CRM version 9.0.5. The flaw resides in the User Group Description section, which is processed by card.php. Input entered into the group description field is not properly sanitized before being stored and later rendered in the browser, allowing an attacker to inject arbitrary HTML or JavaScript code [1][2].

Exploitation

Prerequisites

An attacker must have a valid Dolibarr account with the privilege 'Create/modify other users, groups and permissions'. This privilege is typically granted to administrative or manager-level roles. The attack does not require any special network position beyond normal web access to the Dolibarr instance. The injected payload is stored in the database and executed when any user (including administrators) views the affected group's details [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' sessions. This can lead to session hijacking, data theft, or further actions taken on behalf of the victim. Because the attacker can also achieve privilege escalation, the stored XSS may be used to elevate the attacker's own permissions or perform administrative actions beyond their original scope [1][2].

Mitigation

Status

Dolibarr addressed this vulnerability in a later release. Users of Dolibarr 9.0.5 or earlier versions should upgrade to a patched version immediately. As of September 2019, no workaround was documented, but restricting the 'Create/modify other users, groups and permissions' privilege to trusted users only can reduce the attack surface [1][2].