Cross-site Scripting (XSS) - Stored in Dolibarr/dolibarr

Valid
Reported on May 18th 2021

✍️ Description

The dolibarr is vulnerable to XSS. It is possible to bypass the sanitizer through onpointerdown event.

🕵️‍♂️ Proof of Concept

Payload: <a onpointerdown=alert(document.domain)>XSS</a>.

  1. With an authenticated user, access http://localhost/product/index.php.
  2. Click on New product in the left bar.
  3. Put any content in the Ref and Labelfields.
  4. Put the payload in the description field.
  5. Click on save.
  6. Click on XSS.

PoC video: https://www.youtube.com/watch?v=4ez3VRJd5oU.

💥 Impact

Arbitrary Javascript code execution.