CVE-2022-22293 in Dolibarr
Summary
by MITRE • 01/02/2022
admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/05/2022
The vulnerability identified as CVE-2022-22293 affects Dolibarr version 7.0.2 and specifically targets the admin/limits.php file where improper input validation allows HTML injection attacks. This security flaw exists within the MAIN_MAX_DECIMALS_TOT parameter handling mechanism, creating a potential vector for malicious actors to inject arbitrary HTML content into the application's administrative interface. The issue stems from insufficient sanitization of user-supplied parameters that are directly rendered within the web interface without proper encoding or validation measures.
This vulnerability represents a classic case of HTML injection or cross-site scripting (XSS) weakness that falls under CWE-79, which categorizes improper neutralization of input during web page generation. The flaw enables attackers to inject malicious HTML code through the parameter input field, potentially allowing them to execute arbitrary scripts in the context of a victim's browser session. The attack surface is particularly concerning because it targets administrative functions where users with elevated privileges might be interacting with the system, potentially leading to privilege escalation or unauthorized access to sensitive administrative controls.
The operational impact of this vulnerability extends beyond simple script execution as it could enable attackers to manipulate the administrative interface in ways that compromise system integrity and confidentiality. An attacker could inject malicious code that redirects users to phishing sites, steals session cookies, or modifies administrative settings to create persistent backdoors within the application. The vulnerability affects the core administrative configuration system of Dolibarr, which is used for managing various business processes including financial records, inventory management, and customer relationship management, making the potential damage significant for organizations relying on this platform.
Mitigation strategies should focus on implementing proper input validation and output encoding mechanisms throughout the application's parameter handling processes. Organizations should immediately apply the vendor-provided patches or upgrade to versions that have addressed this vulnerability. The recommended approach includes implementing strict parameter validation for all administrative inputs, particularly those that are rendered directly in the web interface. Additionally, organizations should consider implementing content security policies to prevent unauthorized script execution and employ web application firewalls to detect and block suspicious input patterns. This vulnerability aligns with ATT&CK technique T1213 which covers data from information repositories, and represents a critical security gap that requires immediate attention to prevent potential exploitation in enterprise environments where Dolibarr is deployed for business operations management.