Miggo Logo
Miggo Vulnerability Database
CVE-2021-33618

CVE-2021-33618: Dolibarr ERP and CRM contain XSS Vulnerability

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-33618
GHSA ID
GHSA-fc6h-769x-gff5
EPSS Score
0.84676%
CWE
CWE-79
Published
5/24/2022
Updated
7/11/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer<= 13.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The PoC demonstrates XSS via the group management endpoint (/user/group/card.php) through the 'nom' parameter. The vulnerability stems from:

  1. Direct reflection of unsanitized user input containing < and > characters
  2. Injection into HTML body context through improper output encoding
  3. The advisory specifically calls out object detail views as the injection vector
  4. The file path is explicitly shown in HTTP requests and vulnerability reproduction steps While exact function names aren't provided in public disclosures, the card.php handler's group update logic is the clear entry point based on the PoC and advisory details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oli**rr *RP *n* *RM **.*.* *llows XSS vi* o*j**t **t*ils, *s **monstr*t** *y > *n* < ***r**t*rs in t** onpoint*rmov* *ttri*ut* o* * *O*Y *l*m*nt to t** us*r-m*n***m*nt ***tur*.

Reasoning

T** Po* **monstr*t*s XSS vi* t** *roup m*n***m*nt *n*point (/us*r/*roup/**r*.p*p) t*rou** t** 'nom' p*r*m*t*r. T** vuln*r**ility st*ms *rom: *. *ir**t r**l**tion o* uns*nitiz** us*r input *ont*inin* < *n* > ***r**t*rs *. Inj**tion into *TML *o*y *on