CVE-2019-16688

Vulnerability

Dolibarr 9.0.5 contains a stored cross-site scripting (XSS) vulnerability in the Email Template section accessible via mails_templates.php. The root cause is insufficient sanitization of user-supplied input when creating or editing email templates, allowing arbitrary HTML and JavaScript to be persisted in the template fields.

Exploitation

An attacker with no privileges can inject malicious script into an email template field. When an administrator or any other user views the affected template, the injected script executes in the context of the victim's browser session. No authentication is required beyond the ability to access the template editing functionality, which is available to unprivileged users.

Impact

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as stealing session cookies, modifying configurations, or accessing sensitive data. Because the stored XSS affects all user privilege levels from admin to users with no permissions, the impact can be severe if an admin views the malicious template.

Mitigation

As of the publication date, no official patch has been released for Dolibarr 9.0.5. Users are advised to upgrade to a later version once a fix is available or to restrict access to the email template functionality to trusted users only [2].