Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mODQ4LXI1ZzYtNmdwZs4AAkul
Dolibarr Stored Cross-site Scripting
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
Permalink: https://github.com/advisories/GHSA-f848-r5g6-6gpfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mODQ4LXI1ZzYtNmdwZs4AAkul
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 11 days ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-f848-r5g6-6gpf, CVE-2020-13240
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13240
- https://www.dubget.com/stored-xss-via-file-upload.html
- https://github.com/advisories/GHSA-f848-r5g6-6gpf
Affected Packages
packagist:dolibarr/dolibarr
Dependent packages: 0Dependent repositories: 6
Downloads: 4,987 total
Affected Version Ranges: = 11.0.4
No known fixed version
All affected versions: 11.0.4