CVE-2019-16687

Vulnerability

Overview

CVE-2019-16687 describes a stored cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM version 9.0.5. The flaw resides in the Signature section of a user's profile, accessible via card.php. An authenticated user with the 'Create/modify other users, groups and permissions' privilege can inject arbitrary JavaScript into the signature field, which is then stored and executed when other users view the profile [1][2].

Attack

Vector and Prerequisites

Exploitation requires an authenticated account that has been granted the administrative privilege to create or modify other users, groups, and permissions. This privilege is typically assigned to users with elevated roles, such as managers or system administrators. The attacker can craft a malicious script and save it as their signature; the XSS payload is then triggered in the browsers of any user who visits the compromised profile page [2]. No additional user interaction beyond viewing the profile is needed for the stored XSS to execute.

Impact

A successful attack enables the injection of arbitrary client-side scripts. Since the attacker already holds elevated privileges, the XSS can be leveraged for privilege escalation, potentially allowing the attacker to perform actions as another user, exfiltrate sensitive data, or further compromise the Dolibarr instance. The vulnerability is classified as a stored XSS because the malicious code persists in the signature field until it is removed [1][2].

Mitigation

As of the publication date, the vendor had not released a patch. Users are advised to upgrade to a version newer than 9.0.5 if available, or to restrict the 'Create/modify other users, groups and permissions' privilege to only trusted administrators. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no official workaround is documented beyond applying the latest security updates from the Dolibarr project [1].