CVE-2021-47779

MEDIUM

Dolibarr ERP/CRM 14.0.2 - Stored Cross-Site Scripting in Ticket Creation Module

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47779. PoCs published by Oscar Gil Gutierrez.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Dolibarr ERP-CRM 14.0.2, allowing a low-privilege user to escalate privileges by tricking an administrator into copying malicious content. The payload injects a script that modifies user permissions via an AJAX request.

Description

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.

Exploits (1)

exploitdb WORKING POC

by Oscar Gil Gutierrez · textwebappsphp

https://www.exploit-db.com/exploits/50432

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Dolibarr ERP-CRM 14.0.2, allowing a low-privilege user to escalate privileges by tricking an administrator into copying malicious content. The payload injects a script that modifies user permissions via an AJAX request.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Dolibarr ERP-CRM v14.0.2

Auth required

Prerequisites: Low-privilege user with access to the Tickets module · Administrator interaction (copying text) · Remote hosting for the malicious JavaScript file

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources product

https://www.dolibarr.org/

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/50432

Various Sources product

https://github.com/Dolibarr

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/dolibarr-erp-crm-stored-cross-site-scripting-xss-privilege-escalation

Scores

CVSS v3 5.4

EPSS 0.0031

EPSS Percentile 22.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

Dolibarr/CRM 14.0.2

dolibarr/dolibarr_erp\/crm 14.0.2

Published Jan 16, 2026

Tracked Since Feb 18, 2026