CVE-2021-47779: Dolibarr ERP-CRM Stored XSS Vulnerability

CVE-2021-47779 Overview

CVE-2021-47779 is a stored cross-site scripting (XSS) vulnerability affecting Dolibarr ERP-CRM version 14.0.2. The vulnerability exists within the ticket creation module and allows low-privilege users to inject malicious JavaScript code into ticket messages. When an administrator views or copies the crafted ticket content, the embedded script executes in their browser context, potentially enabling privilege escalation and unauthorized administrative actions.

Dolibarr is an open-source ERP and CRM platform widely used by small and medium-sized businesses for managing business processes including invoicing, inventory, and customer relationship management. This vulnerability poses a significant risk to organizations relying on Dolibarr for critical business operations.

Critical Impact

Low-privilege users can escalate to administrative access by exploiting stored XSS in the ticket system, potentially compromising the entire ERP/CRM platform and sensitive business data.

Affected Products

• Dolibarr ERP-CRM 14.0.2
• Earlier versions of Dolibarr ERP-CRM may also be affected

Discovery Timeline

• 2026-01-16 - CVE-2021-47779 published to NVD
• 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2021-47779

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) resides in the ticket creation module of Dolibarr ERP-CRM. The application fails to properly sanitize user-supplied input when processing ticket messages, allowing attackers to embed malicious JavaScript that persists in the database. The attack requires minimal privileges—any user with ticket creation permissions can exploit this flaw.

The vulnerability is particularly dangerous because it targets administrative workflows. When administrators interact with malicious tickets—specifically when copying text content—the injected script executes with their elevated privileges. This creates a pathway for privilege escalation where low-privilege attackers can perform administrative actions through the victim's session.

Root Cause

The root cause stems from improper input validation and output encoding in the ticket message handling component. User-supplied content is stored in the database without adequate sanitization and subsequently rendered in the browser without proper HTML entity encoding. This allows specially crafted JavaScript to bypass security controls and execute in the context of authenticated users.

Attack Vector

The attack follows a network-based vector requiring user interaction. An attacker with low-level privileges creates a support ticket containing malicious JavaScript embedded within the message body. The payload is designed to trigger during copy operations—a common administrative action when handling support tickets. When an administrator copies the ticket content, the clipboard API interaction triggers the script execution, allowing the attacker to:

• Steal session tokens and authentication cookies
• Perform administrative actions on behalf of the victim
• Create new administrative accounts
• Access and exfiltrate sensitive business data
• Modify system configurations

The vulnerability exploits the trust relationship between authenticated administrators and the ticket management system. Since ticket content is expected to be user-generated, administrators may not exercise caution when handling ticket data.

Detection Methods for CVE-2021-47779

Indicators of Compromise

• Unusual JavaScript patterns in ticket message content, including <script> tags and event handlers
• Ticket entries containing encoded JavaScript payloads using HTML entities or URL encoding
• Unexpected administrative actions or account creations following ticket review activities
• Browser console errors or warnings when viewing specific tickets

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect XSS patterns in form submissions
• Monitor database entries in ticket-related tables for suspicious script content
• Enable Content Security Policy (CSP) headers to restrict script execution sources
• Review application logs for unusual patterns in ticket creation and administrator access sequences

Monitoring Recommendations

• Configure alerts for ticket messages containing common XSS payload signatures
• Monitor administrator session activity for anomalous behavior following ticket interactions
• Implement real-time scanning of user-generated content for malicious patterns
• Track clipboard-related JavaScript events in administrative interfaces

How to Mitigate CVE-2021-47779

Immediate Actions Required

• Upgrade Dolibarr ERP-CRM to the latest patched version immediately
• Review existing tickets for potentially malicious content before accessing them
• Implement strict Content Security Policy headers to mitigate XSS impact
• Restrict ticket creation permissions to trusted users until patches are applied

Patch Information

Organizations should upgrade to a patched version of Dolibarr ERP-CRM that addresses the input validation issues in the ticket module. Consult the GitHub Dolibarr Repository and Dolibarr Official Website for the latest security updates. Additional technical details can be found in the VulnCheck Dolibarr Advisory and Exploit-DB #50432.

Workarounds

• Implement server-side input validation to strip or encode HTML and JavaScript from ticket messages
• Deploy a Web Application Firewall with XSS protection rules in front of the Dolibarr instance
• Disable or restrict access to the ticket module for untrusted users until patching is complete
• Use browser extensions that block JavaScript execution when reviewing user-generated content

# Example Apache CSP configuration for XSS mitigation
# Add to .htaccess or Apache configuration file
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"