CVE-2020-36966
Unknown Unknown - Not Provided
Persistent XSS in Dolibarr LDAP Sync Allows Cookie Theft

Publication date: 2026-01-30

Last updated on: 2026-01-30

Assigner: VulnCheck

Description
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36966
EUVD
EUVD-2020-30964
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dolibarr dolibarr 11.0.3
dolibarr dolibarr to 11.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a persistent cross-site scripting (XSS) flaw in Dolibarr version 11.0.3, specifically in the LDAP synchronization settings handled by the /dolibarr/admin/ldap.php script. Attackers can inject malicious JavaScript code through multiple parameters such as host, slave, and port. The injected script persists and executes in the context of the web application, allowing attackers to run arbitrary JavaScript. This can lead to actions like stealing user cookies and session information. [1, 2]

Impact Analysis

The vulnerability can allow attackers to execute arbitrary JavaScript code within the affected application, potentially leading to theft of user cookies and session hijacking. This can compromise user accounts and allow unauthorized access or actions within the application. The persistent nature of the XSS means the malicious script remains active and can affect multiple users. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the /dolibarr/admin/ldap.php endpoint with the action parameter set to 'setvalue'. Specifically, look for suspicious payloads injected into the 'host', 'slave', or 'port' parameters containing encoded SVG content with embedded JavaScript. A practical detection method is to capture and inspect POST requests for base64-encoded SVG payloads or unusual script tags within these parameters. For example, using curl or similar tools, you can attempt to reproduce the injection payload to verify if the system is vulnerable. Additionally, web application firewalls (WAF) or intrusion detection systems (IDS) can be configured to alert on such patterns. Example command to test injection (replace URL accordingly): curl -X POST -d "action=setvalue&host=<payload>" https://your-dolibarr-instance/dolibarr/admin/ldap.php [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /dolibarr/admin/ldap.php page to trusted administrators only, applying input validation and sanitization on the 'host', 'slave', and 'port' parameters to prevent script injection, and updating Dolibarr to a version where this vulnerability is fixed if available. Additionally, monitoring and blocking suspicious POST requests containing script payloads can help reduce risk. If a patch is not yet available, consider disabling LDAP synchronization settings temporarily to prevent exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart