CVE-2025-69210
1.20.06%
Ledger Poisoning: Stored XSS in FacturaScripts (CVE-2025-69210)
Amit Schendel
Senior Security ResearcherJan 1, 2026·6 min read·5 visits
PoC Available
Executive Summary (TL;DR)
FacturaScripts blocked SVGs to prevent XSS but forgot about XML and HTML. Attackers can upload these file types containing malicious scripts. When an admin views the file, the script executes, leading to potential account takeover. Fixed in version 2025.7.
A stored Cross-Site Scripting (XSS) vulnerability in the FacturaScripts ERP system allows authenticated attackers to hijack administrator sessions by uploading malicious XML or HTML files.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
1.2/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NEPSS Probability
0.06%
Top 88% most exploited
Affected Systems
FacturaScripts < 2025.7
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
FacturaScripts FacturaScripts | < 2025.7 | 2025.7 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Attack Vector | Network (Stored XSS) |
| CVSS Score | 1.2 (CVSS 4.0) |
| EPSS Score | 0.06% |
| Exploit Status | PoC Available |
| Patch Commit | e908ade21c84bdc9d51190057482316730c66146 |
MITRE ATT&CK Mapping
CWE-79
Cross-site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Known Exploits & Detection
Vulnerability Timeline
Patch Applied
2025-01-20
CVE Published
2025-02-14