VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 30, 2023· Updated Sep 6, 2024

Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr

CVE-2023-5842

Description

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored Cross-Site Scripting (XSS) vulnerability in Dolibarr ERP/CRM prior to version 16.0.5 allows attackers to inject arbitrary scripts via insufficient HTML event attribute sanitization.

Vulnerability

Overview

CVE-2023-5842 is a stored Cross-Site Scripting (XSS) vulnerability in the Dolibarr ERP/CRM open-source software package (versions prior to 16.0.5). The root cause is an incomplete filter in the testSqlAndScriptInject function, which validates user-supplied input for malicious HTML attributes. The function's regular expression blacklist failed to cover several DOM event attributes such as onrepeat, onbegin, onfinish, and onbeforeinput, allowing an attacker to craft payloads that bypass the existing sanitization checks [1][3].

Exploitation

Method

An attacker must have an authenticated session with a Dolibarr instance and the ability to input data that is later rendered in a web page (e.g., a contact, invoice, or order record). By injecting an XSS payload that uses an unsanitized event handler (e.g., ``), the malicious script becomes stored in the application's database. When any user, including administrators, views the affected page, the injected script executes in their browser context [2][4]. No special network position is required beyond access to the Dolibarr web interface.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement of the application interface, exfiltration of sensitive data, or further privileged actions within the ERP/CRM system. Since the XSS is stored, the malicious payload persists and can affect multiple users over time without requiring repeated social engineering [4].

Mitigation

The vulnerability has been patched in Dolibarr version 16.0.5, with the fix implemented in commit f569048 [2][3]. The patch extends the regular expression blacklist to include the missing event attributes and corrects the context of an existing pattern to use the stripped HTML value ($tmpval) rather than the raw input, preventing additional bypass techniques. Users are strongly advised to upgrade to the latest stable release. Huntr, the platform that coordinated the disclosure, also lists this CVE as a confirmed security risk [4].

References
  1. GitHub - Dolibarr/dolibarr: Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
  2. NVD - CVE-2023-5842
  3. Fix #hunter7a048bb7-bfdd-4299-931e-9bc283e92bc8 · Dolibarr/dolibarr@f569048
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dolibarr/dolibarrPackagist
< 16.0.516.0.5

Affected products

3

Patches

1
f569048eb2bd

Fix #hunter7a048bb7-bfdd-4299-931e-9bc283e92bc8

https://github.com/dolibarr/dolibarrLaurent DestailleurFeb 11, 2023via ghsa
commit
1 file changed · +5 1
  • htdocs/main.inc.php+5 1 modified
    @@ -167,16 +167,20 @@ function testSqlAndScriptInject($val, $type)
 	$inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $val);
 	$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)\s*=/i', $val);
 	$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $val);
+	// More not into the previous list
+	$inj += preg_match('/on(repeat|begin|finish|beforeinput)\s*=/i', $val);
 
 	// We refuse html into html because some hacks try to obfuscate evil strings by inserting HTML into HTML. Example: <img on<a>error=alert(1) to bypass test on onerror
 	$tmpval = preg_replace('/<[^<]+>/', '', $val);
 	// List of dom events is on https://www.w3schools.com/jsref/dom_obj_event.asp and https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers
-	$inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
+	$inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $tmpval); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>
 	$inj += preg_match('/on(abort|afterprint|animation|auxclick|beforecopy|beforecut|beforeprint|beforeunload|blur|cancel|canplay|canplaythrough|change|click|close|contextmenu|cuechange|copy|cut)\s*=/i', $tmpval);
 	$inj += preg_match('/on(dblclick|drop|durationchange|emptied|end|ended|error|focus|focusin|focusout|formdata|gotpointercapture|hashchange|input|invalid)\s*=/i', $tmpval);
 	$inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $tmpval);
 	$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|search|seeked|seeking|show|stalled|start|submit|suspend)\s*=/i', $tmpval);
 	$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $tmpval);
+	// More not into the previous list
+	$inj += preg_match('/on(repeat|begin|finish|beforeinput)\s*=/i', $tmpval);
 
 	//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val);   // To lock event handlers onAbort(), ...
 	$inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...'

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.