Exploit
CVE-2024-23817

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Jan 25, 2024 / Updated: 9mo ago

010
CVSS 6.1EPSS 0.04%Medium
CVE info copied to clipboard

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-23817

Jan 25, 2024 at 12:15 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Jan 25, 2024 at 4:45 PM
First Article

Feedly found the first article mentioning CVE-2024-23817. See article

Jan 25, 2024 at 8:25 PM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.04% (Percentile: 6.8%)

Jan 31, 2024 at 5:46 PM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Jan 31, 2024 at 6:10 PM
CVSS

A CVSS base score of 6.1 has been assigned.

May 9, 2024 at 3:25 PM / nvd
Static CVE Timeline Graph

Affected Systems

Dolibarr/dolibarr_erp\/crm
+null more

Exploits

https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-7947-48q7-cp5m
+null more

Patches

github.com
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI