CVE-2019-16686

Vulnerability

Details

CVE-2019-16686 describes a stored cross-site scripting (XSS) vulnerability in the User Note section (note.php) of Dolibarr ERP/CRM version 9.0.5 [1][2]. The root cause is insufficient sanitization of user-supplied input, allowing arbitrary HTML or JavaScript to be stored directly within the note field. This vulnerability can be triggered by any user, including those with no special privileges [2].

Exploitation

An attacker with access to the application can simply craft a malicious payload in the User Note area of note.php. Because the input is stored and later rendered when the note is viewed, the attacker does not need to trick the victim into clicking a crafted link; the payload will execute automatically when the affected page is loaded by another user, such as an administrator [2].

Impact

If an administrator views the note containing the malicious script, the injected code can execute in the context of the admin's session. This could lead to theft of session cookies, unauthorized actions on behalf of the administrator, or further compromise of the Dolibarr installation and its data [2].

Mitigation

At the time of disclosure, the vulnerability existed in Dolibarr 9.0.5. Users should upgrade to a patched version if available. The official Dolibarr repository may contain fixes in later releases [1]. Administrators should review user-contributed notes and consider restricting access to the note feature if an immediate update is not possible.