CVE-2023-38888

Vulnerability

Overview CVE-2023-38888 is a stored Cross-Site Scripting (XSS) vulnerability in Dolibarr ERP CRM versions 17.0.1 and earlier, specifically within the REST API module [1][2]. The root cause lies in insufficient input sanitization in the functions analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject, which fail to properly neutralize user-supplied data before it is stored or reflected [2][3].

Exploitation

An unauthenticated remote attacker can exploit this flaw by sending crafted HTTP requests to the REST API endpoints. Because the vulnerability is stored, the injected malicious script is persisted on the server and subsequently executed in the browser of any user who views the affected data, including administrators [3]. No special privileges or network position beyond network access to the Dolibarr instance is required.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of sensitive information (e.g., session cookies, CSRF tokens), defacement, or further compromise of the Dolibarr instance through actions performed on behalf of the victim [2][3].

Mitigation

The vendor has released a fix in a subsequent version; users are strongly advised to upgrade to the latest Dolibarr release [1][4]. No official workaround is available, and the vulnerability has been publicly disclosed with proof-of-concept details [3].