Description
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.
Remediation
References
Related Vulnerabilities
Envoy Proxy Excessive Iteration Vulnerability (CVE-2021-32778)
Jboss EAP Incomplete List of Disallowed Inputs Vulnerability (CVE-2018-7489)
Drupal Core 7.x Denial of Service (7.0 - 7.19)
MySQL CVE-2021-2356 Vulnerability (CVE-2021-2356)
Magento Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2021-28566)