Description

The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.

Remediation

References

CVE-2017-17971

Related Vulnerabilities

WordPress Plugin AddToAny Share Buttons Cross-Site Scripting (1.7.45)

WordPress Plugin Carousel slideshow 'swfupload.swf' Cross-Site Scripting (3.10)

Plone CMS Improper Restriction of XML External Entity Reference Vulnerability (CVE-2020-28734)

WordPress Plugin Slideshow Multiple Cross-Site Scripting and Information Disclosure Vulnerabilities (2.1.12)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-1429)

Severity

Medium

Classification

CVE-2017-17971 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities