Executive Summary

CVE-2025-55579 is a Stored Cross-Site Scripting (XSS) vulnerability in SolidInvoice version 2.3.7, specifically in the Tax Rate functionality. An authenticated attacker can inject malicious JavaScript code into the Tax Rates section, which is then stored and executed in the browsers of other authenticated users who view that page. This allows the attacker to perform actions like stealing session tokens or credentials, phishing, or executing unauthorized actions on behalf of other users. The vulnerability was fixed in version 2.3.8. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to session hijacking, credential or token theft, phishing, social engineering attacks, and unauthorized actions performed on behalf of other users in multi-user environments. Essentially, attackers can compromise user accounts and perform malicious activities by exploiting the stored XSS flaw. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if your SolidInvoice installation is version 2.3.7 or earlier and by testing the Tax Rates functionality for stored XSS. Specifically, an authenticated user can attempt to add a Tax Rate with a malicious payload such as `<image/src/onerror=prompt(1)>` in the Name field via the UI (System > Tax Rates > Add Tax Rate). If the payload executes when revisiting the Tax Rates page, the vulnerability is present. There are no specific network commands provided, but manual testing through the application interface is recommended. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update SolidInvoice to version 2.3.8 or later, where the issue has been fixed. Until the update can be applied, restrict access to the Tax Rates functionality to trusted users only and avoid adding or editing Tax Rates to prevent exploitation. [1]

Useful 0 Not Useful 0