Fluid Attacks Database

Description

Dolibarr ERP and CRM contain Cross-site Scripting Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1) htdocs/societe/societe.php or (2) htdocs/societe/admin/societe.php.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	dolibarr/dolibarr	>=3.5.0 <3.5.8	3.5.8

Aliases

1. CVE-2015-39352. NVD-2015-39353. OSV-2015-39354. GCVE-2015-3935

References

1. https://github.com/Dolibarr/dolibarr/issues/28572. https://github.com/Dolibarr/dolibarr/issues/42913. https://github.com/Dolibarr/dolibarr/issues/43414. https://github.com/dolibarr/dolibarr/commit/a7f6bbd316e9b96216e9b2c7a065c9251c9a89075. https://web.archive.org/web/20210122162903/http://www.securityfocus.com/bid/749266. http://packetstormsecurity.com/files/132108/Dolibarr-3.5-3.6-HTML-Injection.html7. http://seclists.org/fulldisclosure/2015/May/126

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.