CVE-2020-13240

MEDIUM5.4EPSS 0.17%

Dolibarr Stored Cross-site Scripting

Published: 5/24/2022Modified: 4/3/2025

Also known as:GHSA-f848-r5g6-6gpfBIT-dolibarr-2020-13240

Description

The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

Affected packages (2)

Bitnami/dolibarr>= 11.0.4, <= 11.0.4
Packagist/dolibarr/dolibarr

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-13240
PATCHhttps://github.com/Dolibarr/dolibarr
WEBhttps://www.dubget.com/stored-xss-via-file-upload.html