关键漏洞信息 漏洞标识 Advisory ID: usd-2019-0053 CVE Number: CVE-2019-19211 影响的产品与版本 Affected Product: Dolibarr ERP/CRM Affected Version: 3.0 - 10.0.4 漏洞类型与风险 Vulnerability Type: Reflected XSS Security Risk: High 描述 Description: Multiple parameters used by /dolibarr/htdocs/user/card.php are reflected without sufficient filtering. 证明概念(PoC) Vulnerable parameters: lastname, firstname, office_phone, user_mobile, office_fax, email, accountancy_code (id enabled), signature, job, thm, tjm, salary, weeklyhours. Proof of Concept Details: Detailed URL examples are provided in the screenshot. 修复建议 Fix: Filter user input according to its usage. 时间线 2019-09-06: Vulnerability discovered by Daniel Hoffmann 2019-09-11: First contact with vendor 2019-10-30: Vendor released version 10.0.3; Retest not successful 2019-11-27: Vendor released version 10.0.4 which fixes the vulnerability (not verified) 2020-02-05: Security advisory released 致谢 Credits: This security vulnerability was discovered by Daniel Hoffmann of usd AG.