{"id":"CVE-2019-19210","details":"Dolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.","aliases":["GHSA-87r3-4gc8-f897"],"modified":"2026-03-15T21:45:10.853923Z","published":"2020-03-16T15:15:12.427Z","references":[{"type":"ADVISORY","url":"https://www.dolibarr.org/forum/dolibarr-changelogs"},{"type":"ADVISORY","url":"https://herolab.usd.de/en/security-advisories/"},{"type":"EVIDENCE","url":"https://herolab.usd.de/security-advisories/usd-2019-0052/"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"3.0.0"},{"fixed":"10.0.3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19210.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}