CVE-2024-55227

CVE-2024-55227 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Events/Agenda module in Dolibarr version 21.0.0-beta. The flaw enables attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Title parameter. It carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, low complexity, and high potential impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited by an authenticated attacker with low privileges (PR:L) who crafts and injects a malicious payload into the Title field. Exploitation requires user interaction (UI:R), such as a victim viewing or interacting with the tainted event or agenda content. Upon success, the injected scripts execute in the victim's browser context, enabling actions like session hijacking, data theft, or further compromise, amplified by the changed scope (S:C) that elevates impact beyond the vulnerable component.

Patches addressing this issue are available in Dolibarr repository commits 56710ce9b79a97df093f586c90bdaf6cce6a5808, 9aa24d9d9aeab36358c725dae3fe20c9631082e7, and c0250e4c9106b5c889e512a4771f0205d4f99b99. A proof-of-concept payload is detailed at https://gist.github.com/Dqtdqt/9762466cd6ec541ea265ba33b09489ff. Additional guidance on reporting and handling is provided in the Dolibarr security policy at https://github.com/Dolibarr/dolibarr/security/policy.