CVE-2020-7996
Description
htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr 10.0.6 suffers from a stored XSS vulnerability via the Referer header in passwordforgotten.php, allowing unauthenticated remote attackers to inject arbitrary web scripts.
Vulnerability
Description
CVE-2020-7996 is a cross-site scripting (XSS) vulnerability found in Dolibarr ERP/CRM version 10.0.6 [1]. The flaw exists in the htdocs/user/passwordforgotten.php script, which improperly sanitizes the HTTP Referer header before incorporating it into the page output. This allows an attacker to inject arbitrary HTML and JavaScript code that will be executed in the context of the victim's browser [2].
Exploitation
Exploitation requires no authentication and can be triggered remotely. An attacker can craft a malicious link, email, or web page that causes the victim's browser to send a request to the password recovery page with a manipulated Referer header containing the XSS payload. The server then reflects this payload back to the victim, executing the script in their browser. No special network position is needed beyond the ability to deliver a crafted Referer [2].
Impact
Successful exploitation allows the attacker to perform actions on behalf of the victim, such as stealing session cookies, logging keystrokes, defacing the page, or redirecting the user to phishing sites. This can lead to full compromise of the victim's Dolibarr account and potential data exposure [2].
Mitigation
As of the advisory date, users of Dolibarr 10.0.6 are advised to upgrade to a patched version of the software. The vendor has released updates addressing this vulnerability; users should apply the latest security patches immediately [1][2].
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- NVD - CVE-2020-7996
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | <= 10.0.6 | — |
Affected products
3- Dolibarr/Dolibarrdescription
- osv-coords2 versions
>= 10.0.6, <= 10.0.6+ 1 more
- (no CPE)range: >= 10.0.6, <= 10.0.6
- (no CPE)range: <= 10.0.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v384-jqmq-fc74ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7996ghsaADVISORY
- github.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-xss-in-http-header.mdghsax_refsource_MISCWEB
- tufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-xss-in-http-header.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.