Stored XSS in “Dolibarr” leads to privilege escalation
CVE-2021-25955

9CRITICAL

Key Information:

Vendor: Dolibarr
Status: Dolibarr
Vendor: CVE Published:; 15 August 2021

What is CVE-2021-25955?

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

dolibarr <= unspecified

dolibarr v2.8.1

References

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 15, 2021
Vulnerability Reserved
Jan 22, 2021

Credit

Hagai Wechsler

JSON

Dolibarr

What is CVE-2021-25955?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.