5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-9838

GHSA ID

GHSA-726g-cgcq-4xw8

EPSS Score

0.40768%

CWE

CWE-79

Published

5/14/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-9838

CVE-2017-9838: Dolibarr Cross-Site Scripting (XSS) vulnerability

Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu parameter), core/ajax/box.php (PATH_INFO), product/stats/card.php (type parameter), holiday/list.php (month_create, month_start, and month_end parameters), and don/card.php (societe, lastname, firstname, address, zipcode, town, and email parameters).

(GitHub Advisory)

5.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-9838

GHSA ID

GHSA-726g-cgcq-4xw8

EPSS Score

0.40768%

CWE

CWE-79

Published

5/14/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dolibarr/dolibarr	composer	< 5.0.4	5.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory explicitly lists specific files and parameters vulnerable to reflected/stored XSS due to insufficient input sanitization and output encoding. Each entry corresponds to a script that processes user-supplied parameters (e.g., via $_GET, $_POST, or PATH_INFO) and injects them into the HTML response without proper escaping. High confidence stems from the detailed parameter/file mappings in the CVE description and Wizlynx report, including proof-of-concept payloads demonstrating exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oli**rr *RP/*RM is *****t** *y multipl* r**l**t** *ross-Sit* S*riptin* (XSS) vuln*r**iliti*s in v*rsions ***or* *.*.*: in**x.p*p (l**tm*nu p*r*m*t*r), *or*/*j*x/*ox.p*p (P*T*_IN*O), pro*u*t/st*ts/**r*.p*p (typ* p*r*m*t*r), *oli**y/list.p*p (mont*_*r

Reasoning

T** **visory *xpli*itly lists sp**i*i* *il*s *n* p*r*m*t*rs vuln*r**l* to r**l**t**/stor** XSS *u* to insu**i*i*nt input s*nitiz*tion *n* output *n*o*in*. **** *ntry *orr*spon*s to * s*ript t**t pro**ss*s us*r-suppli** p*r*m*t*rs (*.*., vi* $_**T, $_

5.4

Basic Information

Concerned about an active attack path?

CVE-2017-9838: Dolibarr Cross-Site Scripting (XSS) vulnerability

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI