CVE-2023-38888: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

September 20, 2023 (updated September 22, 2023)

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

References

dolibarr.com/
akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38888_Dolibarr_XSS.pdf
github.com/advisories/GHSA-62wf-h26v-5m57
nvd.nist.gov/vuln/detail/CVE-2023-38888

Code Behaviors & Features

Detect and mitigate CVE-2023-38888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →