CVE-2025-55580
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-09-09

Assigner: MITRE

Description
SolidInvoice version 2.3.7 is vulnerable to a stored cross-site scripting (XSS) issue in the Clients module. An authenticated attacker can inject JavaScript that executes in other users' browsers when the Clients page is viewed. The vulnerability is fixed in version 2.3.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-09-09
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-55580
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
solidinvoice solidinvoice 2.3.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-55580 is a Stored Cross-Site Scripting (XSS) vulnerability in the Client Module of SolidInvoice version 2.3.7. An authenticated attacker can inject malicious JavaScript code into the 'Name' field when adding a client. This code is stored and later executed in the browsers of other authenticated users who view the Clients page, potentially compromising their sessions and data. [1]

Impact Analysis

This vulnerability can lead to session hijacking, theft of credentials or tokens, phishing or social engineering attacks, and unauthorized actions performed on behalf of other users in multi-user environments. Essentially, attackers can exploit this to compromise user accounts and perform malicious activities within the application. [1]

Detection Guidance

This vulnerability can be detected by testing the Client Module of SolidInvoice, specifically by attempting to inject a script payload into the 'Name' field when adding a client. For example, an authenticated user can navigate to Clients > Add Client and input a script such as `<script>prompt(document.cookie)</script>` in the Name field. If the script executes when viewing Clients > List Clients, the system is vulnerable. There are no specific network commands provided, but manual testing through the application interface is recommended. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update SolidInvoice to version 2.3.8 or later, where the issue has been resolved. Until the update is applied, restrict access to the Clients module to trusted users only and avoid adding new clients with untrusted input to prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55580. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart