Miggo Logo
Miggo Vulnerability Database
CVE-2018-19993

CVE-2018-19993: Dolibarr reflected cross-site scripting (XSS) vulnerability

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2018-19993
GHSA ID
GHSA-2gc5-3h3p-8vpf
EPSS Score
0.5489%
CWE
CWE-79
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer< 8.0.48.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key patterns:

  1. Direct output of GETPOST('transphrase') without sanitization (missing 'alphanohtml' filter parameter in vulnerable versions)
  2. Passing GETPOST('transkey') to the translation system without HTML escaping

The patch adds 'alphanohtml' filtering to both GETPOST calls, confirming these were the injection points. The functions are clearly vulnerable as they directly incorporate user-controlled input into HTML output without proper neutralization, meeting CWE-79 criteria for reflected XSS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**l**t** *ross-sit* s*riptin* (XSS) vuln*r**ility in *oli**rr *.*.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** tr*nsp*r*s* p*r*m*t*r to pu*li*/noti**.p*p.

Reasoning

T** vuln*r**ility st*ms *rom two k*y p*tt*rns: *. *ir**t output o* **TPOST('tr*nsp*r*s*') wit*out s*nitiz*tion (missin* '*lp**no*tml' *ilt*r p*r*m*t*r in vuln*r**l* v*rsions) *. P*ssin* **TPOST('tr*nsk*y') to t** tr*nsl*tion syst*m wit*out *TML *s**p