Description
Hi all,
I don't think it's a good idea to post this here. But nobody respond to my mail and Dolibarr Official twitter account advise me to post this here (https://twitter.com/MickaelDorigny/status/684456187870457857) so ...
Here is an advisory about XSS Vulnerability on Dolibarr latest version (v3.8.3).
Vulnerability description :
A Stored XSS is available in the Dolibarr 3.8.3 core code. No module needs to be activated to exploit this XSS vulnerability because an attacker can use the user attributes management to do it.
This XSS can be exploited through a basic user account on the dolibarr installation. Impacted users are administrators and users that have right to check other user's attributes.
PoC n°1 : Stored XSS in user attributes:
Once a simple user is connected with his account, he can modifiy his attributes like Last name, First name, Mobile number, etc.. These informations can be reviewed by other users who have administration privileges.
Using the HTML tag and the "onmouseover" JavaScript event, we can force an admin to pass his mouse over the injected image. This event can be used to execute valid JavaScript instructions in the administrator browser or in browser of other users allowed to check user's attributes.
PoC :
As an authenticated user, fullfill "Last name", "First name", "email", "job" or "signature" input with this :
user1< img src=x onmouseover=alert(1) >
This is a PoC Video made by myself to expose the most dangerous usage of this vulnerability : https://www.youtube.com/watch?v=p2rFWJOCJC8
Feel free to ask more details if needed.