CVE-2021-25955 (GCVE-0-2021-25955)

Vulnerability from cvelistv5 – Published: 2021-08-15 20:35 – Updated: 2024-09-16 21:02
VLAI?
Title
Stored XSS in “Dolibarr” leads to privilege escalation
Summary
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.
Severity ?
9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Dolibarr dolibarr Affected: unspecified , ≤ v13.0.2 (custom)
Affected: v2.8.1 , < unspecified (custom)
Create a notification for this product.
Credits
Hagai Wechsler
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:19:18.976Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dolibarr",
          "vendor": "Dolibarr",
          "versions": [
            {
              "lessThanOrEqual": "v13.0.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "v2.8.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Hagai Wechsler"
        }
      ],
      "datePublic": "2021-08-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \u201cPrivate Note\u201d field at \u201c/adherents/note.php?id=1\u201d endpoint. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-15T20:35:25",
        "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "shortName": "Mend"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to 14.0.0"
        }
      ],
      "source": {
        "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
        "discovery": "UNKNOWN"
      },
      "title": "Stored XSS in \u201cDolibarr\u201d leads to privilege escalation",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
          "DATE_PUBLIC": "2021-08-10T21:00:00.000Z",
          "ID": "CVE-2021-25955",
          "STATE": "PUBLIC",
          "TITLE": "Stored XSS in \u201cDolibarr\u201d leads to privilege escalation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "dolibarr",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "v13.0.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "v2.8.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Dolibarr"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Hagai Wechsler"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \u201cPrivate Note\u201d field at \u201c/adherents/note.php?id=1\u201d endpoint. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955",
              "refsource": "MISC",
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955"
            },
            {
              "name": "https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e",
              "refsource": "MISC",
              "url": "https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to 14.0.0"
          }
        ],
        "source": {
          "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
    "assignerShortName": "Mend",
    "cveId": "CVE-2021-25955",
    "datePublished": "2021-08-15T20:35:25.743897Z",
    "dateReserved": "2021-01-22T00:00:00",
    "dateUpdated": "2024-09-16T21:02:55.699Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.8.1\", \"versionEndIncluding\": \"13.0.2\", \"matchCriteriaId\": \"730BE634-E4DD-4AC7-89A0-74ED7ED1EB2D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In \\u201cDolibarr ERP CRM\\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \\u201cPrivate Note\\u201d field at \\u201c/adherents/note.php?id=1\\u201d endpoint. These scripts are executed in a victim\\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.\"}, {\"lang\": \"es\", \"value\": \"En \\\"Dolibarr ERP CRM\\\", el m\\u00f3dulo Editor WYSIWYG, versiones v2.8.1 a v13.0.2 est\\u00e1n afectados por una vulnerabilidad de tipo XSS almacenado que permite a usuarios de la aplicaci\\u00f3n con pocos privilegios almacenar scripts maliciosos en el campo \\\"Private Note\\\" en el endpoint \\\"/adherents/note.php?id=1\\\". Estos scripts son ejecutados en el navegador de la v\\u00edctima cuando \\u00e9sta abre la p\\u00e1gina que contiene el campo vulnerable. En el peor de los casos, la v\\u00edctima que desencadena inadvertidamente el ataque es un administrador con muchos privilegios. Los scripts inyectados pueden extraer el ID de la Sesi\\u00f3n, lo que puede conllevar a una toma de posesi\\u00f3n de la Cuenta completa del administrador y, debido a otra vulnerabilidad (Control de Acceso Inapropiado en las notas Privadas), un usuario poco privilegiados puede actualizar las notas privadas, que podr\\u00eda conllevar a una escalada de privilegios.\"}]",
      "id": "CVE-2021-25955",
      "lastModified": "2024-11-21T05:55:40.140",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"vulnerabilitylab@mend.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 9.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 9.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 6.0}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-08-15T21:15:06.907",
      "references": "[{\"url\": \"https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e\", \"source\": \"vulnerabilitylab@mend.io\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955\", \"source\": \"vulnerabilitylab@mend.io\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "vulnerabilitylab@mend.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"vulnerabilitylab@mend.io\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-25955\",\"sourceIdentifier\":\"vulnerabilitylab@mend.io\",\"published\":\"2021-08-15T21:15:06.907\",\"lastModified\":\"2024-11-21T05:55:40.140\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In \u201cDolibarr ERP CRM\u201d, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the \u201cPrivate Note\u201d field at \u201c/adherents/note.php?id=1\u201d endpoint. These scripts are executed in a victim\u2019s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.\"},{\"lang\":\"es\",\"value\":\"En \\\"Dolibarr ERP CRM\\\", el m\u00f3dulo Editor WYSIWYG, versiones v2.8.1 a v13.0.2 est\u00e1n afectados por una vulnerabilidad de tipo XSS almacenado que permite a usuarios de la aplicaci\u00f3n con pocos privilegios almacenar scripts maliciosos en el campo \\\"Private Note\\\" en el endpoint \\\"/adherents/note.php?id=1\\\". Estos scripts son ejecutados en el navegador de la v\u00edctima cuando \u00e9sta abre la p\u00e1gina que contiene el campo vulnerable. En el peor de los casos, la v\u00edctima que desencadena inadvertidamente el ataque es un administrador con muchos privilegios. Los scripts inyectados pueden extraer el ID de la Sesi\u00f3n, lo que puede conllevar a una toma de posesi\u00f3n de la Cuenta completa del administrador y, debido a otra vulnerabilidad (Control de Acceso Inapropiado en las notas Privadas), un usuario poco privilegiados puede actualizar las notas privadas, que podr\u00eda conllevar a una escalada de privilegios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"vulnerabilitylab@mend.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.1\",\"versionEndIncluding\":\"13.0.2\",\"matchCriteriaId\":\"730BE634-E4DD-4AC7-89A0-74ED7ED1EB2D\"}]}]}],\"references\":[{\"url\":\"https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e\",\"source\":\"vulnerabilitylab@mend.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955\",\"source\":\"vulnerabilitylab@mend.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.