Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
Description
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr prior to 18.0 contains a stored/generic XSS vulnerability due to insufficient filtering of HTML event handlers, allowing arbitrary script execution.
Vulnerability
Details
CVE-2023-5323 is a cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM prior to version 18.0. The root cause lies in the testSqlAndScriptInject function, which is responsible for sanitizing user input against malicious HTML and script injection. The function's regex-based filtering of HTML event handlers was incomplete; it missed several event attributes (e.g., onrepeat, onbegin, onfinish, onbeforeinput) and applied some checks to the raw input value instead of the HTML-stripped version, allowing attackers to bypass the filter by embedding event handlers within nested HTML tags [1][3].
Exploitation
An attacker can exploit this vulnerability by crafting input that includes event handlers such as onmouseover, onload, or onerror that are not properly blocked. The insufficient sanitization means that even if some event handlers are filtered, others remain, and the use of nested HTML (e.g., <img onerror=alert(1)>) can circumvent the checks. The fix in commit [3] addresses this by expanding the list of blocked event handlers and ensuring that the regex is applied to the HTML-stripped value ($tmpval) rather than the original input, closing the bypass vector.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, theft of sensitive data (e.g., cookies, credentials), defacement of the application interface, or further attacks against other users. The vulnerability is classified as generic XSS, meaning it can be triggered in various input fields across the application.
Mitigation
The vulnerability is fixed in Dolibarr version 18.0. Users are strongly advised to upgrade to this version or later. The specific code changes are documented in the commit [3], which was reported via the huntr.dev bug bounty platform [4]. No official workaround has been provided, so upgrading is the recommended course of action.
- GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
- Fix #hunter7a048bb7-bfdd-4299-931e-9bc283e92bc8 · Dolibarr/dolibarr@695ca08
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 18.0.0 | 18.0.0 |
Affected products
3- osv-coords2 versions
< 18.0.0+ 1 more
- (no CPE)range: < 18.0.0
- (no CPE)range: < 18.0.0
- dolibarr/dolibarr/dolibarrv5Range: unspecified
Patches
1695ca086847bFix #hunter7a048bb7-bfdd-4299-931e-9bc283e92bc8
1 file changed · +5 −1
htdocs/main.inc.php+5 −1 modified@@ -173,16 +173,20 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $val); $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)\s*=/i', $val); $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $val); + // More not into the previous list + $inj += preg_match('/on(repeat|begin|finish|beforeinput)\s*=/i', $val); // We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML. Example: <img on<a>error=alert(1) to bypass test on onerror $tmpval = preg_replace('/<[^<]+>/', '', $val); // List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers - $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)> + $inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)> $inj += preg_match('/on(abort|afterprint|animation|auxclick|beforecopy|beforecut|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $tmpval); $inj += preg_match('/on(dblclick|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $tmpval); $inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $tmpval); $inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)\s*=/i', $tmpval); $inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $tmpval); + // More not into the previous list + $inj += preg_match('/on(repeat|begin|finish|beforeinput)\s*=/i', $tmpval); //$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event handlers onAbort(), ... $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.