Dolibarr ERP/CRM prior to 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
dolibarr dolibarr