CVE-2021-47779

Description

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.

PUBLISHED Reserved 2026-01-14 | Published 2026-01-15 | Updated 2026-01-16 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

Oscar Gutierrez (m4xp0w3r) finder

References

www.exploit-db.com/exploits/50432 (ExploitDB-50432) exploit

www.dolibarr.org/ (Official Dolibarr Vendor Homepage) product

github.com/Dolibarr (Dolibarr GitHub Repository) product

www.vulncheck.com/...site-scripting-xss-privilege-escalation (VulnCheck Advisory: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation) third-party-advisory

cve.org (CVE-2021-47779)

nvd.nist.gov (CVE-2021-47779)

Download JSON