CVE-2021-33618

Vulnerability

Dolibarr ERP and CRM version 13.0.2 does not escape "greater than" (>) and "smaller than" (<) characters when they are reflected in pop-up windows showing object details [3][4]. This allows an attacker to inject arbitrary HTML tags and attributes. The vulnerability is present in the user-management feature, specifically in the group card page (/user/group/card.php) [3]. The affected version is 13.0.2 [2][3].

Exploitation

An attacker must have a valid user account with privileges to modify group names (e.g., via the user-management feature) [3]. The attacker sends a POST request to /user/group/card.php with a crafted group name containing a ` element [3]. When an administrator or other user views the group details in a pop-up window, the injected HTML is rendered and the onpointermove` event handler executes arbitrary JavaScript [3]. No user interaction beyond viewing the pop-up is required.

Impact

Successful exploitation results in stored cross-site scripting (XSS) [2][3]. The attacker can execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, data theft, or further compromise of the Dolibarr instance. The CVSS score is 9.0 (Critical) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H [3].

Mitigation

The vendor has not released a specific patch for CVE-2021-33618 in the 13.x branch; however, later versions (e.g., 23.0.3) include numerous security fixes [1]. Users should upgrade to the latest available version of Dolibarr. As a workaround, administrators can restrict access to the user-management feature to trusted users only. No official advisory from the vendor is available in the provided references.