Miggo Logo
Miggo Vulnerability Database
CVE-2019-16197

CVE-2019-16197: Cross-site scripting in Dolibarr

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-16197
GHSA ID
GHSA-m553-9wmx-533h
EPSS Score
0.40686%
CWE
CWE-79
Published
11/8/2019
Updated
1/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer< 10.0.210.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input handling in the language detection mechanism. Though the CVE description mentions User-Agent header XSS, the actual patched code shows the vulnerability was in the Accept-Language header processing within Translate::setDefaultLang. The commit adds a critical regex filter (preg_replace('/[^_a-zA-Z]/', '', ...)) to sanitize the input, and the accompanying test case demonstrates XSS prevention by testing malicious header injection. The User-Agent mention in the CVE description appears to be an error, as the code changes and advisory context clearly point to Accept-Language handling in this function as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *t*o*s/so*i*t*/**r*.p*p in *oli**rr **.*.*, t** v*lu* o* t** Us*r-***nt *TTP *****r is *opi** into t** *TML *o*um*nt *s pl*in t*xt **tw**n t**s, l***in* to XSS.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input **n*lin* in t** l*n*u*** **t**tion m****nism. T*ou** t** *V* **s*ription m*ntions Us*r-***nt *****r XSS, t** **tu*l p*t**** *o** s*ows t** vuln*r**ility w*s in t** ****pt-L*n*u*** *****r pro**ssin* wit*in T