CVE-2024-55227

CriticalPublic PoC

Published: 27 January 2025

Published

27 January 2025

Modified

19 February 2025

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0022 44.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55227 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates inputs to the Title parameter in the Events/Agenda module, preventing injection of crafted XSS payloads.

SI-15 Information Output Filtering good match

prevent

Filters outputs when rendering the Title parameter, blocking execution of injected scripts in victims' browsers.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw by applying available patches from Dolibarr commits, eliminating the XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

XSS in public-facing Dolibarr web app directly enables exploitation via T1190; payload execution facilitates browser session hijacking (T1185) and web session cookie theft (T1539) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

Deeper analysisAI

CVE-2024-55227 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Events/Agenda module in Dolibarr version 21.0.0-beta. The flaw enables attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Title parameter. It carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to network accessibility, low complexity, and high potential impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited by an authenticated attacker with low privileges (PR:L) who crafts and injects a malicious payload into the Title field. Exploitation requires user interaction (UI:R), such as a victim viewing or interacting with the tainted event or agenda content. Upon success, the injected scripts execute in the victim's browser context, enabling actions like session hijacking, data theft, or further compromise, amplified by the changed scope (S:C) that elevates impact beyond the vulnerable component.

Patches addressing this issue are available in Dolibarr repository commits 56710ce9b79a97df093f586c90bdaf6cce6a5808, 9aa24d9d9aeab36358c725dae3fe20c9631082e7, and c0250e4c9106b5c889e512a4771f0205d4f99b99. A proof-of-concept payload is detailed at https://gist.github.com/Dqtdqt/9762466cd6ec541ea265ba33b09489ff. Additional guidance on reporting and handling is provided in the Dolibarr security policy at https://github.com/Dolibarr/dolibarr/security/policy.

Details

CWE(s): CWE-79

Affected Products

dolibarr

dolibarr erp\/crm

21.0.0

CVEs Like This One

CVE-2024-55228Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-22666Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-23500Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-31018Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25710Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25450Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2025-0817Shared CWE-79

References

https://gist.github.com/Dqtdqt/9762466cd6ec541ea265ba33b09489ff
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Dolibarr/dolibarr/commit/56710ce9b79a97df093f586c90bdaf6cce6a5808
Patch · cve@mitre.org
https://github.com/Dolibarr/dolibarr/commit/9aa24d9d9aeab36358c725dae3fe20c9631082e7
Patch · cve@mitre.org
https://github.com/Dolibarr/dolibarr/commit/c0250e4c9106b5c889e512a4771f0205d4f99b99
Patch · cve@mitre.org
https://github.com/Dolibarr/dolibarr/security/policy
Issue Tracking · cve@mitre.org