CVE-2015-8685

Exploit

EPSS 0.21%
Published 15.01.2016 19:59:01
Last modified 12.04.2025 10:46:40
Source cve@mitre.org
Teams watchlist Login
Open Login

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Dolibarr ≫ Dolibarr Version <= 3.8.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.437

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/135256/dolibarr-HTML-Injection.html

http://seclists.org/fulldisclosure/2016/Jan/40

Exploit

https://github.com/Dolibarr/dolibarr/issues/4291

Exploit

https://github.com/GPCsolutions/dolibarr/commit/0d3181324c816bdf664ca5e1548dfe8eb05c54f8

https://nvd.nist.gov/vuln/detail/CVE-2015-8685

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-8685

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-8685

EUVD