CVE-2019-19212 in ERP CRM
Summary
by MITRE
Dolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/10/2025
The vulnerability identified as CVE-2019-19212 represents a cross-site scripting flaw within Dolibarr ERP/CRM versions ranging from 3.0 through 10.0.3. This security weakness specifically affects the product/fournisseurs.php endpoint which handles the product price screen functionality. The vulnerability arises from insufficient input validation and output encoding mechanisms when processing the qty parameter, creating an avenue for malicious actors to inject arbitrary JavaScript code into the application's response. The flaw exists in the application's user interface rendering logic where user-supplied quantity values are directly incorporated into HTML output without proper sanitization or encoding measures.
This vulnerability operates under the Common Weakness Enumeration framework as CWE-79, which categorizes it as a Cross-Site Scripting attack. The specific attack vector involves an attacker constructing malicious payloads within the qty parameter value that, when processed by the vulnerable application, gets executed in the context of other users' browsers. The exploitation mechanism leverages the application's failure to properly escape special characters and HTML markup within the quantity input field, allowing attackers to inject script tags or other malicious code sequences. The attack can be executed through various means including direct URL manipulation, form submissions, or even through crafted API calls that pass the quantity parameter.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal sensitive user credentials, conduct phishing attacks, or manipulate the application's functionality. When a victim accesses the affected product price screen with a malicious quantity value, their browser executes the injected JavaScript code, potentially leading to unauthorized data access, modification of product information, or redirection to malicious websites. The vulnerability affects all users who have access to the product supplier management interface, particularly those with administrative privileges who might inadvertently interact with maliciously crafted product entries. The attack requires minimal technical expertise and can be automated, making it particularly dangerous in environments where multiple users interact with the ERP system.
Mitigation strategies for CVE-2019-19212 should prioritize immediate patching of affected Dolibarr versions to the latest stable releases that contain the necessary input validation fixes. Organizations should implement comprehensive input sanitization measures that enforce strict validation of quantity parameters, ensuring all user-supplied values are properly escaped before rendering in HTML contexts. The implementation of Content Security Policy headers can provide additional defense-in-depth measures to prevent execution of unauthorized scripts. Security teams should conduct thorough code reviews focusing on all input handling mechanisms within the product management modules, particularly around parameters that influence UI rendering. Regular vulnerability scanning and penetration testing should be implemented to identify similar issues in other application components, with particular attention to areas where user input directly influences HTML generation. Network segmentation and privileged access controls can help limit the potential impact of successful exploitation, while user education regarding suspicious website behavior can provide an additional layer of protection against social engineering attacks that might leverage this vulnerability. The remediation process should also include monitoring for anomalous user behavior patterns that might indicate exploitation attempts.