CVE 1.2 LOW

FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload_CVE-2025-69210

December 30, 2025 invoker category_cve
1.2 / 10
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.

Basic Information

ID CVE-2025-69210
Source GitHub_M
Published Dec 30, 2025 at 19:23
Modified Dec 30, 2025 at 19:47

Affected Product

Vendor NeoRazorX
Product facturascripts
Version < 2025.7
Affected Versions NeoRazorX facturascripts < 2025.7

CWE Classification

CWE-79

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.