Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2019-19206

CVE-2019-19206:
Dolibarr ERP and CRM contain XSS Vulnerability

5.4

CVSS Score

Basic Information

CVE ID
CVE-2019-19206
GHSA ID
GHSA-f6h3-66xr-hqr2
EPSS Score
-
CWE
CWE-79
Published
5/24/2022
Updated
9/26/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer<= 10.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the image viewing endpoint (viewimage.php) when handling SVG files. Key indicators:

  1. The attack vector uses 'viewimage.php?file=' parameter to access uploaded SVGs
  2. Dolibarr fails to either:
    • Validate MIME types during upload (allowing SVG with JS)
    • Sanitize SVG content during rendering
  3. SVG files with embedded <script> tags execute when rendered by browsers
  4. The vulnerability pattern matches common XSS in direct file serving scenarios where:
    • User-controlled filenames are used to fetch content
    • File content is served with original markup
    • No output encoding is applied for embedded scripts

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oli**rr *RM/*RP **.*.* *llows `vi*wim***.p*p?*il*=` Stor** XSS *u* to J*v*S*ript *x**ution in *n SV* im*** *or * pro*il* pi*tur*.

Reasoning

T** vuln*r**ility m*ni**sts in t** im*** vi*win* *n*point (vi*wim***.p*p) w**n **n*lin* SV* *il*s. K*y in*i**tors: *. T** *tt**k v**tor us*s 'vi*wim***.p*p?*il*=' p*r*m*t*r to ****ss uplo**** SV*s *. *oli**rr **ils to *it**r: - V*li**t* MIM* typ*