-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from 16 parameters in htdocs/admin/company.php being set via $_POST without sanitization. The commit diff shows patching from raw $_POST to GETPOST() with filtering (e.g., 'nohtml'). The vulnerable version used patterns like:
dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM",$_POST["nom"],...)
without input sanitization. When these values were later displayed in admin forms (e.g., in <input> tags), they enabled stored XSS. The dolibarr_set_const function itself isn't inherently vulnerable, but its usage with untrusted $_POST parameters without filtering created the vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dolibarr/dolibarr | composer | = 6.0.0 | 6.0.1 |