6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-1010016

GHSA ID

GHSA-97fp-5m87-r9mf

EPSS Score

0.50018%

CWE

CWE-79

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1010016

CVE-2019-1010016: Dolibarr Cross Site Scripting (XSS)

Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-1010016

CVE-2019-1010016:

6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2019-1010016

GHSA ID

GHSA-97fp-5m87-r9mf

EPSS Score

0.50018%

CWE

CWE-79

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dolibarr/dolibarr	composer	= 6.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises in card.php where the 'id' parameter is fetched using GETPOST('id') and directly embedded into the HTML output without sanitization. The GitHub issue explicitly identifies GETPOST('id') as the root cause due to missing validation. Since Dolibarr's GETPOST function does not enforce sanitization by default (requiring explicit parameters like 'sanitize' or type constraints), this usage in card.php creates an XSS vector when the unsanitized 'id' is reflected in the page.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-1010016: Dolibarr Cross Site Scripting (XSS)

CVE-2019-1010016:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2019-1010016: Dolibarr Cross Site Scripting (XSS)

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

6.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI