Dolibarr Events/Agenda Module Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Events/Agenda module of Dolibarr version 21.0.0-beta. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Title parameter. The issue arises because the module does not properly sanitize user input before displaying it, particularly in tooltips that can be triggered by hovering over event titles.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed when a user hovers over the affected element. If the victim has administrative privileges, this could lead to unauthorized actions being performed on behalf of the admin, potentially allowing an attacker to gain full control over the application.

Reproduction

To reproduce this vulnerability, inject a script payload into the Title parameter of an event in the Agenda module. Once the event is saved, hover over the event title to trigger the tooltip, which will execute the injected script. This can be automated with a Cross-Site Request Forgery (CSRF) attack to escalate privileges if the victim is an admin.

Remediation

Users can update to Dolibarr version 21.0.1, where this vulnerability has been fixed.