CVE-2020-13828
Description
Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr 11.0.4 suffers from multiple stored XSS issues, enabling authenticated users to inject arbitrary scripts via various parameters in ticket, adherent, product, and company modules.
Vulnerability
Details
CVE-2020-13828 describes multiple stored Cross-Site Scripting (XSS) vulnerabilities in Dolibarr version 11.0.4 [1][3]. The root cause is insufficient sanitization of user-supplied input in several parameters across different modules. Specifically, the subject, message, and address parameters in ticket/card.php?action=create; the societe and address parameters in adherents/card.php; the label and customcode parameters in product/card.php; and the alias and barcode parameters in societe/card.php fail to properly encode or escape HTML, allowing storage of malicious scripts [2][3].
Exploitation
An attacker must be authenticated to the Dolibarr instance. By crafting a payload (e.g., a base64-encoded ` tag wrapped in an element) and submitting it through the vulnerable parameters, the payload is stored on the server [2]. When other users (including administrators) view the affected pages, the script executes in their browser context. The advisory from wizlynxgroup provides a concrete proof-of-concept using the label` parameter of the product card update request [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, data theft, or further malicious actions within the application [1][3]. Because the payload is stored, the attack can propagate to every user who accesses the compromised page.
Mitigation
Dolibarr 11.0.4 is the affected version. Users should upgrade to a later release that addresses these XSS vulnerabilities or apply input validation and output encoding as a workaround. As of the published advisory, no official patch had been announced, but users are advised to monitor the official Dolibarr repository [1] for fixes.
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- Multiple Stored Cross-Site Scripting Vulnerabilities in Dolibarr CRM
- NVD - CVE-2020-13828
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | <= 11.0.4 | — |
Affected products
3- Dolibarr/Dolibarrdescription
- osv-coords2 versions
>= 11.0.4, <= 11.0.4+ 1 more
- (no CPE)range: >= 11.0.4, <= 11.0.4
- (no CPE)range: <= 11.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8r2w-phx4-mgpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13828ghsaADVISORY
- www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-002ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.