CVE-2021-25955

Stored XSS in “Dolibarr” leads to privilege escalation

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

En "Dolibarr ERP CRM", el módulo Editor WYSIWYG, versiones v2.8.1 a v13.0.2 están afectados por una vulnerabilidad de tipo XSS almacenado que permite a usuarios de la aplicación con pocos privilegios almacenar scripts maliciosos en el campo "Private Note" en el endpoint "/adherents/note.php?id=1". Estos scripts son ejecutados en el navegador de la víctima cuando ésta abre la página que contiene el campo vulnerable. En el peor de los casos, la víctima que desencadena inadvertidamente el ataque es un administrador con muchos privilegios. Los scripts inyectados pueden extraer el ID de la Sesión, lo que puede conllevar a una toma de posesión de la Cuenta completa del administrador y, debido a otra vulnerabilidad (Control de Acceso Inapropiado en las notas Privadas), un usuario poco privilegiados puede actualizar las notas privadas, que podría conllevar a una escalada de privilegios.

*Credits: Hagai Wechsler

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-22 CVE Reserved
2021-08-15 CVE Published
2023-03-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e	2022-08-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dolibarr Search vendor "Dolibarr"		Dolibarr Search vendor "Dolibarr" for product "Dolibarr"				>= 2.8.1 <= 13.0.2 Search vendor "Dolibarr" for product "Dolibarr" and version " >= 2.8.1 <= 13.0.2"		-		Affected