CVE-2025-69210

Ledger Poisoning: Stored XSS in FacturaScripts (CVE-2025-69210)

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·6 min read·2 visits

Executive Summary (TL;DR)

FacturaScripts blocked SVGs to prevent XSS but forgot about XML and HTML. Attackers can upload these file types containing malicious scripts. When an admin views the file, the script executes, leading to potential account takeover. Fixed in version 2025.7.

A stored Cross-Site Scripting (XSS) vulnerability in the FacturaScripts ERP system allows authenticated attackers to hijack administrator sessions by uploading malicious XML or HTML files.

Official Patches

FacturaScriptsGitHub Commit fixing the vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
1.2/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS Probability
0.06%
Top 88% most exploited

Affected Systems

FacturaScripts < 2025.7

Affected Versions Detail

Product
Affected Versions
Fixed Version
FacturaScripts
FacturaScripts
< 2025.72025.7
AttributeDetail
CWE IDCWE-79
Attack VectorNetwork (Stored XSS)
CVSS Score1.2 (CVSS 4.0)
EPSS Score0.06%
Exploit StatusPoC Available
Patch Commite908ade21c84bdc9d51190057482316730c66146

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1552Unsecured Credentials
Credential Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-79
Cross-site Scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Known Exploits & Detection

Research ContextInternal PoC using XML namespace injection

Vulnerability Timeline

Patch Applied
2025-01-20
CVE Published
2025-02-14

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.