CVE-2020-13240
MEDIUMDolibarr 11.0.4 - Stored Cross-Site Scripting via File Extension Bypass
Title source: llmDescription
The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.dubget.com/stored-xss-via-file-upload.html
Scores
CVSS v3
5.4
EPSS
0.0070
EPSS Percentile
48.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-276
CWE-668
Status
published
Products (2)
dolibarr/dolibarr
Packagist
dolibarr/dolibarr_erp\/crm
11.0.4
Published
May 20, 2020
Tracked Since
Feb 18, 2026