Dolibarr ERP/CRM 3.0 up to and including 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).
dolibarr dolibarr