CVE-2024-55228

Vulnerability

Overview

CVE-2024-55228 is a stored cross-site scripting (XSS) vulnerability identified in the Product module of Dolibarr ERP/CRM version 21.0.0-beta. The flaw resides in the processing of the Title parameter, which fails to properly sanitize user-supplied input before rendering it in the application's web interface. An attacker can inject arbitrary HTML or JavaScript code into this parameter [1].

Attack

Vector and Exploitation

Exploitation of this vulnerability does not require authentication; an attacker with network access to the Dolibarr instance could craft a malicious payload and inject it into the Title field when creating or editing a product. The injected script is stored in the database and subsequently executed in the browser of any user who views the affected product page. No special privileges or advanced network position are needed beyond the ability to submit data to the Product module [1][2].

Potential

Impact

Successful exploitation allows an attacker to execute arbitrary web scripts in the context of the victim's session. This could lead to theft of session cookies, impersonation of authenticated users, defacement of the application interface, or redirection to malicious external sites. As Dolibarr can manage sensitive business data (contacts, invoices, orders), the impact may extend to data exposure or manipulation within the organization's ERP/CRM system [1][3].

Mitigation

Status

As of the publication date, the vulnerability exists in Dolibarr v21.0.0-beta, which is a beta release and not a stable version. The project's security policy advises that only the last five major stable versions are supported for security reports [2]. A related commit referenced in advisories indicates that similar XSS issues were addressed in the codebase through the use of dolPrintHtmlForAttribute() instead of dol_escape_htmltag() [4]. Users are strongly recommended to upgrade to the latest stable release of Dolibarr and ensure all input sanitization routines are applied [2][4].