Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
dolibarr dolibarr erp/crm 9.0.5