Description

The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.

Remediation

References

CVE-2020-13239

Related Vulnerabilities

WordPress Plugin DukaPress Multiple Cross-Site Scripting Vulnerabilities (2.5.9)

WordPress Plugin Image News slider 'upload.php' Arbitrary File Upload (3.3)

WordPress Plugin Enable Media Replace Unspecified Vulnerability (2.9.5)

PHP Resource Management Errors Vulnerability (CVE-2012-0781)

MediaWiki Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-1581)

Severity

Medium

Classification

CVE-2020-13239 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities