admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAINMAXDECIMALS_TOT parameter.
{ "cpes": [ "cpe:2.3:a:dolibarr:dolibarr_erp/crm:*:*:*:*:*:*:*:*" ], "severity": "Medium" }