Medium severity4.6GHSA Advisory· Published Jun 3, 2024· Updated Apr 15, 2026

CVE-2024-34051

Description

A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dolibarr before 19.0.2 contains a reflected XSS in the payment card page via the facid parameter, allowing authenticated attackers to inject arbitrary web scripts.

Vulnerability

Overview

CVE-2024-34051 is a reflected Cross-site Scripting (XSS) vulnerability in Dolibarr ERP CRM versions before 19.0.2. The flaw resides in the file htdocs/compta/paiement/card.php, specifically in the facid GET parameter [1][2]. The official description confirms that remote attackers can inject arbitrary web script or HTML via a crafted payload into the facid parameter [2]. The vulnerability is rated Medium with a CVSS v3 score of 4.6, reflecting the need for user interaction and authenticated access [2].

Exploitation

Details

To exploit the vulnerability, an attacker must be an authenticated user of the Dolibarr instance [3]. The attack occurs during the payment validation process, triggered by visiting a URL like https:///compta/paiement/card.php?action=valide&facid=... [3]. The facid value is unsafely echoed back in a confirmation form generated by the formconfirm function [3]. Notably, Dolibarr's built-in XSS filter in htdocs/main.inc.php does not block the onbounce JavaScript event handler, allowing attackers to bypass input sanitization using HTML elements such as `` to inject malicious JavaScript [3].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, or phishing attacks within the Dolibarr application. Since the attack is reflected and requires the victim to click a crafted link (e.g., delivered via email), user interaction is necessary. The flaw does not allow direct compromise of the server, but it undermines the confidentiality and integrity of user sessions [2][3].

Mitigation

The vulnerability is fixed in Dolibarr version 19.0.2 and later [1][2]. Users are advised to upgrade to the latest version immediately. No workarounds have been publicly documented, but sanitization of the facid parameter in custom code could serve as a temporary measure. The issue was responsibly disclosed by SmartTECS Cyber Security GmbH [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dolibarr/dolibarrPackagist	< 19.0.2	19.0.2

Affected products

Dolibarr/DolibarrGHSA2 versions
< 19.0.2+ 1 more
- (no CPE)range: < 19.0.2
- (no CPE)range: <19.0.2
ghsa-coords
pkg:composer/dolibarr/dolibarr
Range: < 19.0.2

Patches

3a3ccc253b8e

Fix GET use

https://github.com/dolibarr/dolibarrLaurent DestailleurMar 28, 2024via ghsa

commit

3 files changed · +2 −13

htdocs/accountancy/admin/categories_list.php+0 −5 modified

@@ -299,11 +299,6 @@
 			setEventMessages($db->error(), null, 'errors');
 		}
 	}
-	//$_GET["id"]=GETPOST('id', 'int');       // Force affichage dictionnaire en cours d'edition
-}
-
-if (GETPOST('actioncancel', 'alpha')) {
-	//$_GET["id"]=GETPOST('id', 'int');       // Force affichage dictionnaire en cours d'edition
 }
 
 if ($action == 'confirm_delete' && $confirm == 'yes') {       // delete

htdocs/accountancy/admin/journals_list.php+0 −6 modified

@@ -272,14 +272,8 @@
 			setEventMessages($db->error(), null, 'errors');
 		}
 	}
-	//$_GET["id"]=GETPOST('id', 'int');       // Force affichage dictionnaire en cours d'edition
 }
 
-//if (GETPOST('actioncancel', 'alpha'))
-//{
-//	$_GET["id"]=GETPOST('id', 'int');       // Force affichage dictionnaire en cours d'edition
-//}
-
 if ($action == 'confirm_delete' && $confirm == 'yes') {       // delete
 	if ($tabrowid[$id]) {
 		$rowidcol = $tabrowid[$id];

htdocs/compta/paiement/card.php+2 −2 modified

@@ -288,8 +288,8 @@
 
 // Confirmation of payment validation
 if ($action == 'valide') {
-	$facid = $_GET['facid'];
-	print $form->formconfirm($_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;facid='.$facid, $langs->trans("ValidatePayment"), $langs->trans("ConfirmValidatePayment"), 'confirm_validate', '', 0, 2);
+	$facid = GETPOSTINT('facid');
+	print $form->formconfirm($_SERVER['PHP_SELF'].'?id='.$object->id.'&facid='.((int) $facid), $langs->trans("ValidatePayment"), $langs->trans("ConfirmValidatePayment"), 'confirm_validate', '', 0, 2);
 }
 
 $linkback = '<a href="'.DOL_URL_ROOT.'/compta/paiement/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';

Vulnerability mechanics

Root cause

"Direct use of unsanitized `$_GET['facid']` in an HTML context allows reflected cross-site scripting."

Attack vector

An attacker with low privileges can craft a malicious URL containing a `facid` parameter with embedded JavaScript (e.g., `<script>alert(1)</script>`). When a victim user (who must have the "ValidatePayment" permission) clicks the link, the payload is reflected into the confirmation page without sanitization [CWE-79]. The attack requires user interaction (clicking the crafted link) and is delivered over the network via HTTP GET.

Affected code

The vulnerability is in `htdocs/compta/paiement/card.php` at the payment validation logic. The `$facid` variable is assigned directly from `$_GET['facid']` without sanitization, and this unsanitized value is then embedded into the URL passed to `$form->formconfirm()`. The patch also touches two unrelated admin list files (`journals_list.php`, `categories_list.php`) where commented-out code is removed, but those are not part of the XSS fix.

What the fix does

The patch replaces the direct `$_GET['facid']` assignment with `GETPOSTINT('facid')`, which retrieves the parameter as an integer, and then casts the value to `(int)` before embedding it in the URL [patch_id=1709632]. This eliminates the XSS vector because any non-numeric input is converted to zero, preventing arbitrary HTML or script injection. The fix also removes the `&` HTML entity encoding in the URL, which is safe because the value is now guaranteed to be numeric.

Preconditions

authAttacker must have a low-privilege account on the Dolibarr instance
authVictim must have permission to validate payments
inputVictim must click a crafted link containing the malicious facid parameter
networkNetwork access to the Dolibarr web interface is required

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hv2j-6654-x74qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-34051ghsaADVISORY
blog.smarttecs.com/posts/2024-004-cve-2024-34051ghsaWEB
github.com/Dolibarr/dolibarr/commit/3a3ccc253b8eceddee84f158b2c262a4033b9402ghsaWEB
blog.smarttecs.com/posts/2024-004-cve-2024-34051/nvd

News mentions

No linked articles in our index yet.

cvss	0.299
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000