9.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38888

GHSA ID

GHSA-62wf-h26v-5m57

EPSS Score

0.86086%

CWE

CWE-79

Published

9/20/2023

Updated

11/4/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-38888

CVE-2023-38888: Cross Site Scripting vulnerability in Dolibarr ERP CRM

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

(GitHub Advisory)

9.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-38888

GHSA ID

GHSA-62wf-h26v-5m57

EPSS Score

0.86086%

CWE

CWE-79

Published

9/20/2023

Updated

11/4/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dolibarr/dolibarr	composer	< 17.0.1	17.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly links the XSS flaw to functions handling SQL and script injection analysis. Given Dolibarr's architecture, these security validation functions in the core security class would be responsible for input sanitization. Their names and context suggest they failed to properly neutralize script elements while focusing on SQL injection prevention, creating an XSS vector through insufficient output encoding/validation in REST API processing. The critical severity and CWE-79 mapping strongly support this interpretation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross Sit* S*riptin* vuln*r**ility in *oli**rr *RP *RM v.**.*.* *n* ***or* *llows * r*mot* *tt**k*r to o*t*in s*nsitiv* in*orm*tion *n* *x**ut* *r*itr*ry *o** vi* t** R*ST *PI mo*ul*, r*l*t** to *n*lys*V*rs*orSql*n*S*riptsInj**tion *n* t*stSql*n*S*ri

Reasoning

T** vuln*r**ility **s*ription *xpli*itly links t** XSS *l*w to *un*tions **n*lin* SQL *n* s*ript inj**tion *n*lysis. *iv*n *oli**rr's *r**it**tur*, t**s* s**urity `v*li**tion` *un*tions in t** *or* s**urity *l*ss woul* ** r*sponsi*l* *or input s*niti

9.7

Basic Information

Concerned about an active attack path?

CVE-2023-38888: Cross Site Scripting vulnerability in Dolibarr ERP CRM

9.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI