htdocs/user/passwordforgotten.php in Dolibarr 10.0.6 allows XSS via the Referer HTTP header.
dolibarr dolibarr erp\\/crm 10.0.6