CVE-2017-14239 in Dolibarr
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors, (9) Note, (10) Capital, (11) ProfId1, (12) ProfId2, (13) ProfId3, (14) ProfId4, (15) ProfId5, or (16) ProfId6 parameter to htdocs/admin/company.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/28/2022
The vulnerability identified as CVE-2017-14239 represents a critical cross-site scripting flaw in Dolibarr ERP/CRM version 6.0.0 that exposes multiple input parameters to malicious script injection attacks. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically targeting the administrative configuration interface where organizations manage their company information. The affected parameters span across various company profile fields including CompanyName, CompanyAddress, CompanyZip, CompanyTown, Fax, EMail, Web, ManagingDirectors, Note, Capital, and multiple professional identification fields ProfId1 through ProfId6, creating an extensive attack surface for potential exploitation.
The technical nature of this vulnerability stems from insufficient input validation and output sanitization within the Dolibarr administrative module. When authenticated users with appropriate privileges access the company configuration page at htdocs/admin/company.php, the application fails to properly escape or filter user-supplied data before rendering it back to the browser. This allows attackers to inject malicious JavaScript code or HTML content that executes in the context of other users' browsers who view the compromised company information. The vulnerability is particularly dangerous because it requires only authenticated access to the system, meaning that users with legitimate administrative privileges could be exploited to deliver malicious payloads to other system users.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, data theft, and privilege escalation within the application. An attacker could craft malicious input containing JavaScript that steals session cookies, redirects users to phishing sites, or modifies company data in ways that could disrupt business operations. The attack vector is particularly concerning because it leverages legitimate administrative functionality, making it harder to detect through traditional security monitoring. The fact that multiple company profile fields are affected increases the likelihood of successful exploitation, as attackers can choose the most appropriate parameter based on the context and available input fields.
Organizations using Dolibarr ERP/CRM 6.0.0 should prioritize immediate remediation through official patches provided by the vendor or by upgrading to a patched version of the software. The mitigation strategy should include implementing proper input validation and output encoding mechanisms across all user-controllable parameters in the administrative interface. Security teams should also consider implementing web application firewalls to detect and block suspicious script injection attempts, while conducting thorough security testing of all input fields in the application. This vulnerability aligns with ATT&CK technique T1566.001 for Initial Access through Spearphishing Attachment and T1059.007 for Command and Scripting Interpreter through JavaScript, demonstrating the potential for attackers to leverage such flaws for broader compromise of enterprise environments. The vulnerability highlights the importance of proper secure coding practices and input sanitization in enterprise applications, particularly those handling sensitive business information and user data.