Miggo Logo

CVE-2017-9838: Dolibarr Cross-Site Scripting (XSS) vulnerability

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.40768%
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer< 5.0.45.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly lists specific files and parameters vulnerable to reflected/stored XSS due to insufficient input sanitization and output encoding. Each entry corresponds to a script that processes user-supplied parameters (e.g., via $_GET, $_POST, or PATH_INFO) and injects them into the HTML response without proper escaping. High confidence stems from the detailed parameter/file mappings in the CVE description and Wizlynx report, including proof-of-concept payloads demonstrating exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oli**rr *RP/*RM is *****t** *y multipl* r**l**t** *ross-Sit* S*riptin* (XSS) vuln*r**iliti*s in v*rsions ***or* *.*.*: in**x.p*p (l**tm*nu p*r*m*t*r), *or*/*j*x/*ox.p*p (P*T*_IN*O), pro*u*t/st*ts/**r*.p*p (typ* p*r*m*t*r), *oli**y/list.p*p (mont*_*r

Reasoning

T** **visory *xpli*itly lists sp**i*i* *il*s *n* p*r*m*t*rs vuln*r**l* to r**l**t**/stor** XSS *u* to insu**i*i*nt input s*nitiz*tion *n* output *n*o*in*. **** *ntry *orr*spon*s to * s*ript t**t pro**ss*s us*r-suppli** p*r*m*t*rs (*.*., vi* $_**T, $_