CVE-2018-16808 in Dolibarr
Summary
by MITRE
An issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/29/2023
The vulnerability identified as CVE-2018-16808 represents a critical stored cross-site scripting flaw within the Dolibarr ERP/CRM platform version 7.0.0 and earlier. This security weakness resides in the expense reports module, specifically within the expensereport/card.php file where user input is improperly sanitized before being rendered back to other users. The vulnerability affects both the comments parameter and public/private note fields, creating an environment where malicious actors can inject persistent malicious scripts that execute in the context of other users' browsers.
The technical nature of this flaw aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as weaknesses that allow attackers to inject client-side scripts into web applications. In this case, the vulnerability occurs during the data persistence phase where user-supplied content containing malicious JavaScript is stored in the database and subsequently retrieved and executed without proper sanitization or encoding. The stored nature of this XSS vulnerability means that once the malicious payload is submitted, it remains active and will execute for any user who views the affected expense report, making it particularly dangerous for collaborative environments where multiple users access shared financial data.
The operational impact of CVE-2018-16808 extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and privilege escalation within the Dolibarr environment. Since expense reports typically contain sensitive financial information and are often accessed by multiple stakeholders including managers, finance personnel, and auditors, a successful exploitation could provide attackers with access to confidential business data, potentially leading to financial fraud or corporate espionage. The vulnerability is particularly concerning in enterprise environments where Dolibarr is used for managing employee expense claims, as it could be leveraged to capture authentication tokens or redirect users to malicious sites that appear legitimate.
Organizations utilizing Dolibarr versions prior to 7.0.1 should implement immediate mitigations including input validation and output encoding for all user-supplied content, particularly in fields that support rich text or HTML input. The recommended approach involves implementing proper HTML sanitization libraries such as HTML Purifier or similar solutions that can strip malicious script tags while preserving legitimate formatting. Additionally, organizations should consider implementing Content Security Policy headers to limit the execution of inline scripts and restrict external resource loading. From an ATT&CK framework perspective, this vulnerability maps to techniques involving malicious code injection and credential access, with potential lateral movement opportunities if the compromised user has elevated privileges within the Dolibarr system. Regular security updates and patch management procedures should be enforced to prevent similar vulnerabilities from being exploited in the future, as this issue demonstrates the importance of validating and sanitizing all user inputs in web applications.