CVE-2020-7996

Description

htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.

How to fix CVE-2020-7996

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• Bitnami/dolibarr—no fix listed
• Packagist/dolibarr/dolibarr—no fix listed

Is CVE-2020-7996 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 10.0.6, <= 10.0.6
• from 0, <= 10.0.6

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-7996
• WEBgithub.com/Dolibarr/dolibarr
• WEBgithub.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-xss-in-http-header.md
• WEBtufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-xss-in-http-header.html