Vulnerability DatabaseCVE-2021-25955

CVE-2021-25955:
PHP vulnerability analysis and mitigation

Overview

In Dolibarr ERP CRM's WYSIWYG Editor module, versions 2.8.1 to v13.0.2 are affected by a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on August 15, 2021, and received a CVSS v3.1 score of 9.0 (CRITICAL) (NVD).

Technical details

The vulnerability allows low-privileged application users to store malicious scripts in the 'Private Note' field at the '/adherents/note.php?id=1' endpoint. These scripts are executed in a victim's browser when they open the page containing the vulnerable field. The vulnerability is particularly severe when combined with an Improper Access Control vulnerability on Private notes, as it could lead to privilege escalation (WhiteSource).

Impact

When exploited, the vulnerability can lead to full account takeover, particularly if the victim is a highly privileged administrator. The injected scripts can extract the Session ID, which combined with other vulnerabilities related to Private notes access control, enables privilege escalation for low-privileged users (WhiteSource).

Mitigation and workarounds

The recommended mitigation is to upgrade to Dolibarr version 14.0.0 or later. A security patch was implemented to enhance the sanitizing of input, as evidenced by the commit that addresses the vulnerability (GitHub Commit).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

9

Score

Published August 15, 2021

Severity CRITICAL

CNA Score 9.0

Affected Technologies

PHP
NixOS

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 61.1

Exploitation Probability (EPSS) 0.4

Affected packages and libraries

cpe:2.3:a:dolibarr:dolibarr
dolibarr

Sources

GitHub Advisory Database
- Composer Severity CRITICALHas FixAdded at: Nov 23, 2021
Nix
- Nix Severity CRITICALNo FixAdded at: Nov 01, 2023
Ubuntu Security Tracker
- Ubuntu 16.04 Severity MEDIUMNo FixAdded at: Nov 13, 2023
NVD
- Windows Severity CRITICALHas FixAdded at: Sep 15, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related PHP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-23492	HIGH	8.8	PHP	pimcore/pimcore	No	Yes	Jan 14, 2026
CVE-2026-23498	HIGH	7.2	PHP	shopware/core	No	Yes	Jan 14, 2026
GHSA-595p-g7xc-c333	MEDIUM	6.9	PHP	algolia/algoliasearch-magento-2	No	Yes	Jan 14, 2026
CVE-2022-50807	MEDIUM	6.9	PHP	concrete5/concrete5	No	No	Jan 13, 2026
CVE-2026-0859	MEDIUM	5.2	PHP	typo3/cms-core	No	Yes	Jan 13, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-25955: PHP vulnerability analysis and mitigation