Dolibarr Product Module Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Product module of Dolibarr version 21.0.0-beta. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Title parameter. The issue arises because the application fails to properly sanitize user input before it is displayed, particularly in tooltips that can be triggered by hovering over certain elements.

Impact

Exploitation of this vulnerability allows for the execution of malicious JavaScript in the context of the user interface. If the victim has administrative privileges, the injected script could automatically perform actions on behalf of the user, potentially leading to unauthorized privilege escalation.

Reproduction

To reproduce this vulnerability, first ensure that Dolibarr version 21.0.0-beta is installed and that the 'MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY' option is enabled. This option is not active by default, so it must be manually set. Once the application is configured, navigate to the Product module and inject a script payload into the Title parameter of a product. After saving the product, hover over the 'product ref' tooltip to trigger the execution of the injected script.

Remediation

Users can update to Dolibarr version 21.0.1, where this vulnerability has been fixed.