Miggo Logo

CVE-2022-30875: Cross-site Scripting in Dolibarr

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.56366%
Published
6/9/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer= 12.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS occurs via SQL error messages, which typically involve: 1) Database error handling functions that capture raw SQL input/errors, and 2) Error page templates that display these messages. While exact code isn't available, Dolibarr's architecture suggests DoliDB::error handles SQL exceptions, and error templates would render messages. The vulnerability implies both components lack proper output sanitization. Confidence is medium due to pattern matching with XSS vulnerabilities in error handling systems, though without direct code evidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oli**rr **.*.* is vuln*r**l* to *ross Sit* S*riptin* (XSS) vi* Sql *rror P***.

Reasoning

T** XSS o**urs vi* SQL *rror m*ss***s, w*i** typi**lly involv*: *) **t***s* *rror **n*lin* *un*tions t**t **ptur* r*w SQL input/*rrors, *n* *) *rror p*** t*mpl*t*s t**t *ispl*y t**s* m*ss***s. W*il* *x**t *o** isn't *v*il**l*, *oli**rr's *r**it**tur*