CVE-2020-13239

MEDIUM5.4EPSS 0.23%

Dolibarr Stored Cross-site Scripting via file upload

Published: 5/24/2022Modified: 4/3/2025

Also known as:GHSA-fvf9-2hjp-w936BIT-dolibarr-2020-13239

Description

The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. This causes XSS.

Affected packages (2)

Bitnami/dolibarr>= 11.0.4, <= 11.0.4
Packagist/dolibarr/dolibarr

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13239
PATCHhttps://github.com/Dolibarr/dolibarr
WEBhttps://www.dubget.com/stored-xss-via-file-upload.html