GHSA-cpv8-6xgr-rmf6 · Severity: critical · Ecosystem: composer — Dolibarr Cross-site Scripting vulnerability
In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.
Conclusion & alert: CVE-2021-25955 is rated Moderate Risk (55.6/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 0.89%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.41% | 0.89% | +0.48% |
| 2 | 2025-03-30 | 0.56% | 0.41% | -0.14% |
| 3 | 2025-03-29 | — | 0.56% | — |
Full EPSS history (9 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.0 | 3.1 | CRITICAL |
|
2.3 | 6.0 | [email protected] |
| 9.0 | 3.1 | CRITICAL |
|
2.3 | 6.0 | [email protected] |
| 3.5 | 2.0 | LOW |
|
6.8 | 2.9 | [email protected] |
GHSA-cpv8-6xgr-rmf6 · Severity: critical · Ecosystem: composer — Dolibarr Cross-site Scripting vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
ubuntu
|
medium | CVE-2021-25955 medium priority: Ubuntu including 1 source packages (dolibarr), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 13, needed 1, needs-triage 1. | https://ubuntu.com/security/CVE-2021-25955 |
| URL | Tags |
|---|---|
| https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e | Patch Third Party Advisory |
| https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955 | Third Party Advisory |