GHSA-2267-xqcf-gw2m

Source

https://github.com/advisories/GHSA-2267-xqcf-gw2m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-2267-xqcf-gw2m/GHSA-2267-xqcf-gw2m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2267-xqcf-gw2m

Aliases

CVE-2025-69210

Published

2025-12-30T20:52:21Z

Modified

2026-01-02T23:13:40.032914Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload

Details

A stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality.

Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed.

Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session.

Database specific

{
    "nvd_published_at": "2025-12-30T20:16:01Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T20:52:21Z"
}

References

Affected packages

Packagist

facturascripts/facturascripts

Package

Name: facturascripts/facturascripts
Purl: pkg:composer/facturascripts/facturascripts

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2025.7

Affected versions

2018.*

2018.03

2018.04

2018.05

2018.11

v2018.*

v2018.12

v2018.13

v2018.14

v2018.15

v2018.16

v2020.*

v2020.01

v2020.2

v2020.3

v2020.4

v2020.51

v2020.61

v2020.71

v2020.80

Other

v2021

v2024

v2025

v2021.*

v2021.1

v2021.2

v2021.4

v2021.51

v2021.71

v2021.81

v2022.*

v2022.2

v2022.4

v2022.06

v2022.08

v2022.51

v2023.*

v2023.03

v2023.08

v2023.16

v2023.21

v2024.*

v2024.1

v2024.2

v2024.3

v2024.5

v2024.7

v2024.8

v2024.9

v2024.91

v2024.93

v2024.94

v2024.95

v2024.96

v2025.*

v2025.2

v2025.3

v2025.4

Database specific

last_known_affected_version_range

"<= 2025.4"

facturascripts/facturascripts

Package

Name: facturascripts/facturascripts
Purl: pkg:composer/facturascripts/facturascripts

Affected ranges

Affected versions

2025.*

2025.11

facturascripts/facturascripts

Package

Name: facturascripts/facturascripts
Purl: pkg:composer/facturascripts/facturascripts

Affected ranges

Affected versions

2025.*

2025.41

facturascripts/facturascripts

Package

Name: facturascripts/facturascripts
Purl: pkg:composer/facturascripts/facturascripts

Affected ranges

Affected versions

2025.*

2025.43