Description

The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.

Remediation

References

CVE-2017-17971

Related Vulnerabilities

WordPress Plugin CM Download Manager Arbitrary File Upload (2.8.5)

Oracle HTTP Server Integer Overflow or Wraparound Vulnerability (CVE-2022-22721)

WordPress Plugin NextGEN Gallery-WordPress Gallery Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities (1.8.3)

WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Cross-Site Scripting (1.6.4)

WordPress Plugin WP-CopyProtect [Protect your blog posts] Cross-Site Scripting (3.0.0)

Severity

Medium

Classification

CVE-2017-17971 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities