CVE-2024-23817

Dolibarr is an enterprise resource planning (ERP) and customer relationship
management (CRM) software package. Version 18.0.4 has a HTML Injection
vulnerability in the Home page of the Dolibarr Application. This
vulnerability allows an attacker to inject arbitrary HTML tags and
manipulate the rendered content in the application’s response.
Specifically, I was able to successfully inject a new HTML tag into the
returned document and, as a result, was able to comment out some part of
the Dolibarr App Home page HTML code. This behavior can be exploited to
perform various attacks like Cross-Site Scripting (XSS). To remediate the
issue, validate and sanitize all user-supplied input, especially within
HTML attributes, to prevent HTML injection attacks; and implement proper
output encoding when rendering user-provided data to ensure it is treated
as plain text rather than executable HTML.