CVE-2020-13240: XSS
First published: Wed May 20 2020(Updated: )
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dolibarr Dolibarr Erp\/crm | =11.0.4 | |
| composer/dolibarr/dolibarr | =11.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-13240.
What is the severity of CVE-2020-13240?
CVE-2020-13240 has a severity keyword of medium and a severity value of 5.4.
What does the DMS/ECM module vulnerability in Dolibarr 11.0.4 allow?
The vulnerability allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions, bypassing the .noexe protection mechanism against XSS.
What software version is affected by CVE-2020-13240?
Dolibarr 11.0.4 is affected by CVE-2020-13240.
How can the vulnerability in Dolibarr 11.0.4 be fixed?
To fix the vulnerability, it is recommended to update Dolibarr to the latest version available.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f848-r5g6-6gpf
- alias/CVE-2020-13240
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/dolibarr
- canonical/dolibarr dolibarr erp\/crm
- version/dolibarr dolibarr erp\/crm/11.0.4
- package-manager/composer