CVE-2024-23817: Dolibarr Application Home Page has HTML injection vulnerability

April 18, 2024

Observed a HTML Injection vulnerbaility in the Home page of Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application’s response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS).

References

github.com/Dolibarr/dolibarr
github.com/Dolibarr/dolibarr/security/advisories/GHSA-7947-48q7-cp5m
github.com/advisories/GHSA-7947-48q7-cp5m
nvd.nist.gov/vuln/detail/CVE-2024-23817

Code Behaviors & Features

Detect and mitigate CVE-2024-23817 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →