CVE-2019-11199: XSS
First published: Mon Jul 29 2019(Updated: )
Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript payload each time any regular user or administrative user clicked on the malicious link hosted on the same domain. The vulnerabilities could be exploited by low privileged users to target administrators. The viewimage.php page did not perform any contextual output encoding and would display the content within the uploaded file with a user-requested MIME type.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dolibarr ERP & CRM | =9.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2019-11199?
CVE-2019-11199 has a medium severity rating due to its potential for stored cross-site scripting (XSS) attacks.
How do I fix CVE-2019-11199?
To fix CVE-2019-11199, upgrade Dolibarr ERP/CRM to the latest version that has patched the vulnerability.
Who is affected by CVE-2019-11199?
CVE-2019-11199 affects users of Dolibarr ERP/CRM version 9.0.1.
What type of vulnerability is CVE-2019-11199?
CVE-2019-11199 is a stored cross-site scripting (XSS) vulnerability.
Can CVE-2019-11199 be exploited by a non-admin user?
Yes, CVE-2019-11199 can be exploited by low privilege users, making it a significant risk.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/dolibarr
- canonical/dolibarr erp & crm
- version/dolibarr erp & crm/9.0.1