An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03OTQ3LTQ4cTctY3A1bc4AA7Lv

Dolibarr Application Home Page has HTML injection vulnerability


Observed a HTML Injection vulnerbaility in the Home page of Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS).


  1. Navigate to the login page of Dolibarr application.
  2. Submit a login request with the following payload in an arbitrarily supplied body parameter: "u70ea%22%3e%3c!--HTML_Injection_By_Sai"=1

HTTP Post Request:
POST /dolibarr/index.php?mainmenu=home HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 375
Connection: close
Upgrade-Insecure-Requests: 1


  1. Upon successful injection of the payload, some part of Home page HTML code was commented out.

Kindly go through the below video for detailed steps:

Remediation Suggestion
Kindly validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks.
Implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago

CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Identifiers: GHSA-7947-48q7-cp5m, CVE-2024-23817
References: Repository:
Blast Radius: 5.5

Affected Packages

Dependent packages: 0
Dependent repositories: 6
Downloads: 4,994 total
Affected Version Ranges: = 18.0.4
No known fixed version
All affected versions: