Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

Advisory Summary

Advisory Summary

Dolibarr ERP & CRM v14.0.2 suffers from a stored XSS vulnerability in the ticket creation flow that allows a low level user (with full access to the Tickets module) to achieve full permissions. For this attack vector to work, an administrator user needs to copy the text in the "message" box.


Authenticated attackers could perform actions in the context of high privilege users. This vulnerability could lead to site-wide account takeovers, privilege escalation and Anti-CSRF tokens pillage.

Affected Vendor

Vendor Product


Dolibarr ERP CRM 14.0.2 and earlier versions

Vulnerability Summary

The built-in WAF (Web application Firewall) uses a deny list to block the some HTML tags and most JavaScript events except for onbeforecopy and onbeforecut. In order to exploit this vulnerability, an authenticated attacker needs to craft a payload that does not include any of the forbidden HTML tags and JavaScript events.

CVE: CVE-2021-42220 (

// For XSS Injection done by closing textarea to execute content into a textarea field

$inj += preg_match('/<\/textarea/i', $val);

$inj += preg_match('/<audio/i', $val);

$inj += preg_match('/<embed/i', $val);

$inj += preg_match('/<iframe/i', $val);

$inj += preg_match('/<object/i', $val);

$inj += preg_match('/<script/i', $val);

$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6

if (!defined('NOSTYLECHECK')) {

$inj += preg_match('/<style/i', $val);

$inj += preg_match('/base\s+href/si', $val);

$inj += preg_match('/=data:/si', $val);

$inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>

$inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur


$inj += preg_match('/on(dblclick|drop|durationchange|emptied|ended|error|focus|focusin|foc


$inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $val);

$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|s


$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $val);

$tmpval = preg_replace('/<[^<]+>/', '', $val);

// List of dom events is on and

$inj += preg_match('/on(mouse|drag|key|load|touch|pointer|select|transition)

([a-z]*)\s*=/i', $val); // onmousexxx can be set on img or any html tag like <img title='...' onmouseover=alert(1)>

$inj += preg_match('/on(abort|afterprint|animation|auxclick|beforeprint|beforeunload|blur


$inj += preg_match('/on(dblclick|drop|durationchange|emptied|ended|error|focus|focusin|foc


$inj += preg_match('/on(lostpointercapture|offline|online|pagehide|pageshow)\s*=/i', $tmpval);

$inj += preg_match('/on(paste|pause|play|playing|progress|ratechange|reset|resize|scroll|s


$inj += preg_match('/on(timeupdate|toggle|unload|volumechange|waiting|wheel)\s*=/i', $tmpval);


Deny list implemented in line 87.

Proof of Concept


Update to version 14.0.3 or newest version.


  • 10/8/2021 - Contact with vendor.
  • 10/8/2021 - Vulnerability acknowleged and fix released.

TRUE Advisory Contact: Oscar Gutierrez