CVE-2024-55228

CVE-2024-55228 is a cross-site scripting (XSS) vulnerability (CWE-79) in the Product module of Dolibarr version 21.0.0-beta. It allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter. The vulnerability has a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and potential for high impacts across confidentiality, integrity, and availability.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity, though it requires user interaction (UI:R). By injecting a malicious payload into the Title parameter in the Product module, the attacker can execute arbitrary scripts in the context of other users' browsers, potentially leading to session hijacking, data theft, or further compromise given the cross-scope impact (S:C) and high effect on CIA triad components.

Mitigation involves applying patches from Dolibarr repository commits such as 56710ce9b79a97df093f586c90bdaf6cce6a5808, 9aa24d9d9aeab36358c725dae3fe20c9631082e7, and c0250e4c9106b5c889e512a4771f0205d4f99b99. A proof-of-concept is available in the referenced GitHub Gist. Additional guidance is provided in Dolibarr's security policy at https://github.com/Dolibarr/dolibarr/security/policy. Security practitioners should ensure systems are updated beyond v21.0.0-beta.