修复版本
13.0.3
unspecified
14.0.0
CVE-2021-25955 describes a stored Cross-Site Scripting (XSS) vulnerability within the WYSIWYG Editor module of Dolibarr ERP CRM. This vulnerability allows low-privileged application users to inject malicious scripts into the 'Private Note' field, which are then executed in the browsers of other users, including potentially highly privileged administrators. The vulnerability affects versions of Dolibarr ERP CRM up to 9.0.4 and has been resolved in version 14.0.0.
The impact of this XSS vulnerability is significant. An attacker can inject arbitrary JavaScript code that executes within the context of a victim's browser. This allows for a wide range of malicious actions, including stealing session cookies, redirecting users to phishing sites, and defacing the application. Given that the vulnerable field can be accessed and modified by low-privileged users, and the potential for targeting administrators, the blast radius is substantial. Successful exploitation could lead to complete account takeover, granting the attacker full control over the Dolibarr instance and potentially the underlying systems.
CVE-2021-25955 was publicly disclosed on August 30, 2021. While no active exploitation campaigns have been definitively confirmed, the vulnerability's CRITICAL severity and ease of exploitation make it a likely target. It is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of widespread exploitation.
Organizations utilizing Dolibarr ERP CRM, particularly those with legacy configurations or those who haven't implemented robust input validation practices, are at significant risk. Shared hosting environments where multiple users share the same Dolibarr instance are also particularly vulnerable, as an attacker could potentially compromise the entire environment through a single user account.
• php / web:
grep -r "<script" /var/www/dolibarr/adherents/note.php• generic web:
curl -I http://your-dolibarr-instance/adherents/note.php?id=1 | grep -i content-type• linux / server:
journalctl -u php-fpm | grep -i 'Private Note'disclosure
poc
漏洞利用状态
EPSS
0.41% (62% 百分位)
CVSS 向量
The primary mitigation for CVE-2021-25955 is to upgrade Dolibarr ERP CRM to version 14.0.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input in the 'Private Note' field, specifically targeting script tags and event handlers. Additionally, carefully review and sanitize any user-supplied data before storing it in the database. Monitor Dolibarr logs for suspicious activity, particularly attempts to access or modify the 'Private Note' field. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the 'Private Note' field and verifying that it is not executed.
Actualice Dolibarr a una versión posterior a la 13.0.2. Esto solucionará la vulnerabilidad XSS almacenada en el módulo WYSIWYG Editor.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2021-25955 is a critical stored XSS vulnerability in Dolibarr ERP CRM versions up to 9.0.4, allowing attackers to inject malicious scripts.
You are affected if you are running Dolibarr ERP CRM versions 9.0.4 or earlier. Upgrade to 14.0.0 or later to resolve the vulnerability.
Upgrade Dolibarr ERP CRM to version 14.0.0 or later. As a temporary workaround, implement a WAF rule to filter malicious input.
While no confirmed active campaigns are known, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the official Dolibarr security advisory: https://www.dolibarr.org/security/dolibarr-erp-crm-sa-2021-004/