6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
34.2%
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.
github.com/Dolibarr/dolibarr
github.com/Dolibarr/dolibarr/commit/b2feac9d90f2ecfd5916c4d49176ff1a138744c8
github.com/Dolibarr/dolibarr/issues/8000
nvd.nist.gov/vuln/detail/CVE-2017-17971