CVE-2019-11199

Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files.
These vulnerabilities allowed the execution of a JavaScript payload each
time any regular user or administrative user clicked on the malicious link
hosted on the same domain. The vulnerabilities could be exploited by low
privileged users to target administrators. The viewimage.php page did not
perform any contextual output encoding and would display the content within
the uploaded file with a user-requested MIME type.