SB2019081532 - Multiple vulnerabilities in Dolibarr

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2019-15062)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote authenticated attacker can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page, trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as completely take over the admin account.

2) Cross-site scripting (CVE-ID: CVE-2019-16197)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in "htdocs/societe/card.php" due to the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://gauravnarwani.com/publications/CVE-2019-15062/
• https://github.com/Dolibarr/dolibarr/issues/11671
• http://packetstormsecurity.com/files/154481/Dolibarr-ERP-CRM-10.0.1-Cross-Site-Scripting.html