CVE-2024-23817: 
PHP vulnerability analysis and mitigation

Dolibarr, an enterprise resource planning (ERP) and customer relationship management (CRM) software package, was found to have a HTML Injection vulnerability in version 18.0.4. This vulnerability, identified as CVE-2024-23817, was discovered on January 25, 2024, and allows attackers to inject arbitrary HTML tags and manipulate the rendered content in the application's home page (GitHub Advisory, NVD).

The vulnerability allows attackers to inject arbitrary HTML tags into the application's response through user-supplied input parameters. The attack can be executed by submitting a login request with a specially crafted payload in an arbitrary body parameter. The CVSS v3.1 base score is rated as 6.1 (MEDIUM) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while GitHub rates it as 7.1 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N. The vulnerability is classified under CWE-79 (Cross-site Scripting) and CWE-80 (Improper Neutralization of Script-Related HTML Tags) (NVD).

When exploited, this vulnerability allows attackers to inject new HTML tags into the returned document and comment out portions of the Dolibarr App Home page HTML code. This can lead to various attacks, including Cross-Site Scripting (XSS), potentially compromising user data and application integrity (GitHub Advisory).

To remediate this vulnerability, it is recommended to validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks. Additionally, proper output encoding should be implemented when rendering user-provided data to ensure it is treated as plain text rather than executable HTML (GitHub Advisory).