Stored XSS in FacturaScripts 2025.43 Enables Admin Session Hijack (CVE‑2025‑69210)
What Happened – A stored cross‑site scripting (XSS) flaw (CVE‑2025‑69210) exists in FacturaScripts 2025.43’s product‑file upload feature. Authenticated users can upload a crafted XML file that is later rendered without proper sanitisation, allowing arbitrary JavaScript execution in the browser of any administrator who views the file.
Why It Matters for TPRM –
- Attackers can steal admin credentials or session cookies, compromising the entire ERP environment.
- The vulnerability is exploitable on‑premise or in hosted SaaS deployments, expanding the attack surface of any downstream client.
- No public patch was available until the 2025.7 release, leaving many installations exposed.
Who Is Affected – Small‑ to medium‑size businesses using FacturaScripts ERP (any industry that relies on the platform for invoicing, inventory, or accounting).
Recommended Actions –
- Verify the version of FacturaScripts in use; upgrade immediately to v2025.7 or later.
- Apply web‑application firewall (WAF) rules to block XML uploads containing script tags.
- Conduct a review of user‑generated content handling and enforce strict content‑type validation.
Technical Notes – The flaw resides in the “Warehouse → Products” file‑upload endpoint; the payload is delivered via a crafted XML file that executes alert() and can redirect the admin to a malicious site. No CVE‑specific exploit code is required beyond standard multipart/form‑data manipulation. Source: Exploit‑DB 52517