CVE-2019-19209: 
PHP vulnerability analysis and mitigation

Dolibarr ERP/CRM before version 10.0.3 was discovered to contain multiple vulnerabilities due to insufficient filtering of the HTTP Header 'Accept-Language'. The vulnerability was identified with CVE-2019-19209 and was discovered on September 6, 2019, with a fix released in version 10.0.3 on October 30, 2019 (USD Advisory).

The vulnerability stems from insufficient filtering of the HTTP Header 'Accept-Language'. The unfiltered but modified variable '$langs->defaultlang' is used in multiple locations throughout the application. This implementation flaw affects multiple files including /dolibarr/htdocs/admin/system/dolibarr.php, /dolibarr/htdocs/admin/mails_templates.php, and /dolibarr/htdocs/main.inc.php. The vulnerability has been assigned a CVSS v3.1 score of 7.5 HIGH (NVD).

The vulnerability allows attackers to perform both Cross-Site Scripting (XSS) and SQL Injection attacks through the manipulation of the Accept-Language header. This could potentially lead to unauthorized access to sensitive data and compromise of the application's security (USD Advisory).

The vulnerability was fixed in Dolibarr version 10.0.3. The recommended mitigation is to validate the HTTP Header Accept-Language and ignore invalid values. Additionally, the value should be filtered according to its usage (USD Advisory).