Produit : Dolibarr
Type : Security Advisory
Criticité : medium
CVE : CVE-2024-23817
Date source : 25/01/2024 16:45
Résumé :
### Summary
Observed a HTML Injection vulnerbaility in the Home page of Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS).
### Details
1. Navigate to the login page of Dolibarr application.
2. Submit a login request with the following payload in an arbitrarily supplied body parameter: "**u70ea%22%3e%3c!–HTML_Injection_By_Sai"=1**
**HTTP Post Request:**
POST /dolibarr/index.php?mainmenu=home HTTP/1.1
Host: 192.168.37.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Fire
Action recommandée :
Vérifier la version installée et appliquer le correctif si le produit est concerné.
Source : Voir l’annonce officielle
Laisser un commentaire