CVE-2025-55579
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-09-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| solidinvoice | solidinvoice | 2.3.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55579 is a Stored Cross-Site Scripting (XSS) vulnerability in SolidInvoice version 2.3.7, specifically in the Tax Rate functionality. An authenticated attacker can inject malicious JavaScript code into the Tax Rates section, which is then stored and executed in the browsers of other authenticated users who view that page. This allows the attacker to perform actions like stealing session tokens or credentials, phishing, or executing unauthorized actions on behalf of other users. The vulnerability was fixed in version 2.3.8. [1]
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, credential or token theft, phishing, social engineering attacks, and unauthorized actions performed on behalf of other users in multi-user environments. Essentially, attackers can compromise user accounts and perform malicious activities by exploiting the stored XSS flaw. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if your SolidInvoice installation is version 2.3.7 or earlier and by testing the Tax Rates functionality for stored XSS. Specifically, an authenticated user can attempt to add a Tax Rate with a malicious payload such as `<image/src/onerror=prompt(1)>` in the Name field via the UI (System > Tax Rates > Add Tax Rate). If the payload executes when revisiting the Tax Rates page, the vulnerability is present. There are no specific network commands provided, but manual testing through the application interface is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update SolidInvoice to version 2.3.8 or later, where the issue has been fixed. Until the update can be applied, restrict access to the Tax Rates functionality to trusted users only and avoid adding or editing Tax Rates to prevent exploitation. [1]