Miggo Logo
Miggo Vulnerability Database
CVE-2019-19211

CVE-2019-19211: Dolibarr ERP and CRM contain XSS Vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-19211
GHSA ID
GHSA-gfhf-2xr5-2fvw
EPSS Score
0.83245%
CWE
CWE-79
Published
5/24/2022
Updated
10/5/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer< 10.0.310.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient output encoding of multiple parameters in user/card.php, as demonstrated by the PoC examples showing direct reflection of URL parameters into HTML context. While specific PHP function names aren't explicitly mentioned in advisories, the consistent references to parameter reflection in card.php and the XSS mechanism indicate vulnerable parameter handling within this file. The high confidence comes from multiple independent sources (CVE, GHSA, Herolab) confirming the vulnerable pattern in this endpoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oli**rr *RP/*RM ***or* **.*.* **s *n Insu**i*i*nt *ilt*rin* issu* t**t **n l*** to us*r/**r*.p*p XSS.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt output *n*o*in* o* multipl* p*r*m*t*rs in `us*r/**r*.p*p`, *s **monstr*t** *y t** Po* *x*mpl*s s*owin* *ir**t r**l**tion o* URL p*r*m*t*rs into *TML *ont*xt. W*il* sp**i*i* P*P *un*tion n*m*s *r*n't *xpli*itl