-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from two key issues: 1) dol_htmlentitiesbr alone only handles basic entity conversion and line breaks, not HTML tag filtering. 2) Multiple files (user/note.php, group/card.php etc.) output user-controlled note fields using only dol_htmlentitiesbr. The patch added dol_string_onlythesehtmltags wrappers and switched to note_private field, indicating the original note field handling in these display contexts was vulnerable. The functions' inability to strip dangerous HTML tags when used in isolation created the XSS vector.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dolibarr/dolibarr | composer | < 11.0.1 | 11.0.1 |