CVE-2020-13240
Description
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Dolibarr 11.0.4, users with 'Setup documents directories' permission can rename uploaded files to insecure extensions, bypassing .noexe XSS protection.
The DMS/ECM module in Dolibarr 11.0.4 contains a vulnerability where users with the 'Setup documents directories' permission can rename uploaded files to have insecure file extensions (e.g., .php, .html). This bypasses the .noexe protection mechanism, which is intended to prevent execution of uploaded files by blocking dangerous extensions [2].
To exploit this, an authenticated user must have the 'Setup documents directories' permission, typically assigned to administrators or document managers. The attacker uploads a file with a benign extension (e.g., .txt) and then renames it to a dangerous extension like .php or .html. If the file is served with executable content, it can lead to cross-site scripting (XSS) attacks [2].
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the Dolibarr application, potentially stealing session cookies, defacing the site, or performing actions on behalf of other users. The vulnerability is a medium-severity issue that requires specific privileges but can lead to further compromise of the system.
As of the publication date, the vulnerability affects Dolibarr 11.0.4. Users should upgrade to a patched version if available. Administrators should review permissions and restrict the 'Setup documents directories' privilege to trusted users only [1]. No workaround is documented, but limiting file rename capabilities may reduce risk.
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- NVD - CVE-2020-13240
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Dolibarr/Dolibarrdescription
- osv-coords2 versions
>= 11.0.4, <= 11.0.4+ 1 more
- (no CPE)range: >= 11.0.4, <= 11.0.4
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f848-r5g6-6gpfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13240ghsaADVISORY
- www.dubget.com/stored-xss-via-file-upload.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.