Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in FacturaScripts, an open source accounting and invoicing software. It exists in versions 2025.92 and earlier within the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference. This malicious reference executes arbitrary JavaScript code in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker with warehouse module access to inject malicious JavaScript that executes in other users' browsers. This can lead to unauthorized actions performed on behalf of those users, theft of sensitive information such as session tokens, or manipulation of displayed data. Since the attack requires user interaction (opening the product search modal), it can be used to compromise user accounts or disrupt normal operations within the invoicing or ordering processes.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows execution of arbitrary JavaScript in the context of authenticated users, potentially enabling unauthorized actions such as data exfiltration or creation of admin users.

Such unauthorized access and potential data leakage could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the product search modal in sales and purchases documents is vulnerable to stored Cross-Site Scripting (XSS) via the 'referencia' field. Since the vulnerability involves an authenticated user with warehouse module access creating a product with a malicious reference, detection involves verifying if such malicious references exist in the database and if the product search modal improperly escapes the 'referencia' field.

To detect exploitation attempts or presence of malicious payloads, you can search the database for suspicious JavaScript code in product references.

• Run a database query to find product references containing suspicious script tags or JavaScript code, for example: SELECT * FROM products WHERE referencia LIKE '%<script>%';
• Monitor HTTP requests and responses involving the product search modal for injected JavaScript code in the 'referencia' field.
• Use web application security scanners or manual testing tools to attempt injecting JavaScript into the 'referencia' field and observe if it executes when opening the product search modal.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply proper escaping to the 'referencia' field in the affected files to prevent execution of injected JavaScript code.

Specifically, apply the htmlspecialchars() function with ENT_QUOTES flag to the 'referencia' field in both Core/Lib/AjaxForms/SalesModalHTML.php and Core/Lib/AjaxForms/PurchasesModalHTML.php.

This fix ensures that special characters are properly escaped before being inserted into the HTML onclick attribute, preventing the script from breaking out of the JavaScript string context.

Additionally, restrict warehouse module access to trusted users only, and monitor for suspicious product references.

Useful 0 Not Useful 0