CVE-2025-69210

MEDIUM

FacturaScripts < 2025.7 - Authenticated Stored Cross-Site Scripting via XML File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-69210. PoCs published by uvettrivel007.

AI-analyzed exploit summary This is a functional proof-of-concept for a stored XSS vulnerability in FacturaScripts 2025.43, where authenticated users can upload malicious XML files containing JavaScript payloads that execute when accessed by administrators.

Description

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.

Exploits (1)

exploitdb WORKING POC

by uvettrivel007 · textwebappsmultiple

https://www.exploit-db.com/exploits/52517

View Code ZIP pw:eip

This is a functional proof-of-concept for a stored XSS vulnerability in FacturaScripts 2025.43, where authenticated users can upload malicious XML files containing JavaScript payloads that execute when accessed by administrators.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: FacturaScripts <= 2025.4, = 2025.11, = 2025.41, = 2025.43

Auth required

Prerequisites: Authenticated user access · Ability to upload product files

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-2267-xqcf-gw2m

Various Sources x_refsource_misc

https://facturascripts.com/publicaciones/ya-disponible-facturascripts-2025-7

Release Notes x_refsource_misc

https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.7

Scores

CVSS v3 5.4

EPSS 0.0098

EPSS Percentile 57.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

facturascripts/facturascripts < 2025.7

facturascripts/facturascripts 0 - 2025.7Packagist

Published Dec 30, 2025

Tracked Since Feb 18, 2026