cnvd - cnvd-2016-00442

cnvd-2016-00442

Vulnerability from cnvd

Title: Dolibarr ERP/CRM存在多个跨站脚本漏洞

Description:

Dolibarr ERP/CRM是管理公司业务信息的软件。

Dolibarr ERP/CRM 3.8.3及之前版本存在多个跨站脚本漏洞，允许远程攻击者通过将外部日历的 url 或银行名称字段中的"导入外部日历"页注入任意web脚本或HTML。

Severity: 中

Patch Name: Dolibarr ERP/CRM存在多个跨站脚本漏洞的补丁

Patch Description:

Dolibarr ERP/CRM是管理公司业务信息的软件。

Dolibarr ERP/CRM 3.8.3及之前版本存在多个跨站脚本漏洞，允许远程攻击者通过将外部日历的 url 或银行名称字段中的"导入外部日历"页注入任意web脚本或HTML。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： https://github.com/Dolibarr/dolibarr/issues/4291

Reference: https://github.com/Dolibarr/dolibarr/issues/4291

Impacted products

Name
Dolibarr ERP/CRM <=3.8.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-8685"
    }
  },
  "description": "Dolibarr ERP/CRM\u662f\u7ba1\u7406\u516c\u53f8\u4e1a\u52a1\u4fe1\u606f\u7684\u8f6f\u4ef6\u3002\r\n\r\nDolibarr ERP/CRM 3.8.3\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u5c06\u5916\u90e8\u65e5\u5386\u7684 url \u6216\u94f6\u884c\u540d\u79f0\u5b57\u6bb5\u4e2d\u7684\"\u5bfc\u5165\u5916\u90e8\u65e5\u5386\"\u9875\u6ce8\u5165\u4efb\u610fweb\u811a\u672c\u6216HTML\u3002",
  "discovererName": "Sergio Gal\u00e1n - @NaxoneZ",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://github.com/Dolibarr/dolibarr/issues/4291",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-00442",
  "openTime": "2016-01-26",
  "patchDescription": "Dolibarr ERP/CRM\u662f\u7ba1\u7406\u516c\u53f8\u4e1a\u52a1\u4fe1\u606f\u7684\u8f6f\u4ef6\u3002\r\n\r\nDolibarr ERP/CRM 3.8.3\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u5c06\u5916\u90e8\u65e5\u5386\u7684 url \u6216\u94f6\u884c\u540d\u79f0\u5b57\u6bb5\u4e2d\u7684\"\u5bfc\u5165\u5916\u90e8\u65e5\u5386\"\u9875\u6ce8\u5165\u4efb\u610fweb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dolibarr ERP/CRM\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Dolibarr ERP/CRM \u003c=3.8.3"
  },
  "referenceLink": "https://github.com/Dolibarr/dolibarr/issues/4291",
  "serverity": "\u4e2d",
  "submitTime": "2016-01-21",
  "title": "Dolibarr ERP/CRM\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2015-8685 (GCVE-0-2015-8685)

Vulnerability from cvelistv5

Published

2016-01-15 19:00

Modified

2024-08-06 08:29

Severity ?

CWE

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page.

References

▼	URL	Tags
	https://github.com/Dolibarr/dolibarr/issues/4291	x_refsource_CONFIRM
	http://packetstormsecurity.com/files/135256/dolibarr-HTML-Injection.html	x_refsource_MISC
	https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8	x_refsource_CONFIRM
	http://seclists.org/fulldisclosure/2016/Jan/40	mailing-list, x_refsource_FULLDISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:29:20.696Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Dolibarr/dolibarr/issues/4291"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/135256/dolibarr-HTML-Injection.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8"
          },
          {
            "name": "20160113 Html injection Dolibarr 3.8.3",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2016/Jan/40"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-01-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the \"import external calendar\" page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-05T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Dolibarr/dolibarr/issues/4291"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/135256/dolibarr-HTML-Injection.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8"
        },
        {
          "name": "20160113 Html injection Dolibarr 3.8.3",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2016/Jan/40"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-8685",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the \"import external calendar\" page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Dolibarr/dolibarr/issues/4291",
              "refsource": "CONFIRM",
              "url": "https://github.com/Dolibarr/dolibarr/issues/4291"
            },
            {
              "name": "http://packetstormsecurity.com/files/135256/dolibarr-HTML-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/135256/dolibarr-HTML-Injection.html"
            },
            {
              "name": "https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8",
              "refsource": "CONFIRM",
              "url": "https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8"
            },
            {
              "name": "20160113 Html injection Dolibarr 3.8.3",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2016/Jan/40"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-8685",
    "datePublished": "2016-01-15T19:00:00",
    "dateReserved": "2015-12-26T00:00:00",
    "dateUpdated": "2024-08-06T08:29:20.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted