CVE-2020-36966
Persistent XSS in Dolibarr LDAP Sync Allows Cookie Theft
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dolibarr | dolibarr | 11.0.3 |
| dolibarr | dolibarr | to 11.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a persistent cross-site scripting (XSS) flaw in Dolibarr version 11.0.3, specifically in the LDAP synchronization settings handled by the /dolibarr/admin/ldap.php script. Attackers can inject malicious JavaScript code through multiple parameters such as host, slave, and port. The injected script persists and executes in the context of the web application, allowing attackers to run arbitrary JavaScript. This can lead to actions like stealing user cookies and session information. [1, 2]
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary JavaScript code within the affected application, potentially leading to theft of user cookies and session hijacking. This can compromise user accounts and allow unauthorized access or actions within the application. The persistent nature of the XSS means the malicious script remains active and can affect multiple users. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the /dolibarr/admin/ldap.php endpoint with the action parameter set to 'setvalue'. Specifically, look for suspicious payloads injected into the 'host', 'slave', or 'port' parameters containing encoded SVG content with embedded JavaScript. A practical detection method is to capture and inspect POST requests for base64-encoded SVG payloads or unusual script tags within these parameters. For example, using curl or similar tools, you can attempt to reproduce the injection payload to verify if the system is vulnerable. Additionally, web application firewalls (WAF) or intrusion detection systems (IDS) can be configured to alert on such patterns. Example command to test injection (replace URL accordingly): curl -X POST -d "action=setvalue&host=<payload>" https://your-dolibarr-instance/dolibarr/admin/ldap.php [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /dolibarr/admin/ldap.php page to trusted administrators only, applying input validation and sanitization on the 'host', 'slave', and 'port' parameters to prevent script injection, and updating Dolibarr to a version where this vulnerability is fixed if available. Additionally, monitoring and blocking suspicious POST requests containing script payloads can help reduce risk. If a patch is not yet available, consider disabling LDAP synchronization settings temporarily to prevent exploitation. [1, 2]