Linux Distros Unpatched Vulnerability : CVE-2024-23817

🗓️ 10 Sep 2025 00:00:00Reported by TenableType

Dolibarr 18.0.4 on Linux has unpatched HTML injection vulnerability CVE-2024-23817 enabling XSS.

Reporter	Title	Published	Views	Family All 17
Circl	CVE-2024-23817	25 Jan 202421:26	–	circl
CNNVD	Dolibarr Security Breach	25 Jan 202400:00	–	cnnvd
CVE	CVE-2024-23817	25 Jan 202419:42	–	cve
Cvelist	CVE-2024-23817 Dolibarr Application Home Page HTML injection vulnerability	25 Jan 202419:42	–	cvelist
EUVD	EUVD-2024-1139	3 Oct 202520:07	–	euvd
Github Security Blog	Dolibarr Application Home Page has HTML injection vulnerability	18 Apr 202416:42	–	github
NVD	CVE-2024-23817	25 Jan 202420:15	–	nvd
OSV	BIT-DOLIBARR-2024-23817 Dolibarr Application Home Page HTML injection vulnerability	3 Apr 202514:06	–	osv
OSV	CVE-2024-23817 Dolibarr Application Home Page HTML injection vulnerability	25 Jan 202419:42	–	osv
OSV	GHSA-7947-48Q7-CP5M Dolibarr Application Home Page has HTML injection vulnerability	18 Apr 202416:42	–	osv

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2024-23817
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(262058);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/10");

  script_cve_id("CVE-2024-23817");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2024-23817");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software
    package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application.
    This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in
    the application's response. Specifically, I was able to successfully inject a new HTML tag into the
    returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML
    code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To
    remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to
    prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to
    ensure it is treated as plain text rather than executable HTML. (CVE-2024-23817)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2024-23817");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-23817");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:dolibarr");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "dolibarr"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

10 Sep 2025 00:00Current

6.7Medium risk

Vulners AI Score6.7

CVSS 3.16.1 - 7.1

EPSS0.00557

SSVC