CVE-2025-9168

A vulnerability was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3.0 3.5 LOW

3.5^/10

CVSS v3.0 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Gabrielmouraofc/PoC_Vuldb/blob/main/%F0%9F%93%84POC%20Stored%20XSS%202.md
https://github.com/Gabrielmouraofc/PoC_Vuldb/blob/main/%F0%9F%93%84POC%20Stored%20XSS%202.md#-exploitation-steps
https://vuldb.com/?ctiid.320545
https://vuldb.com/?id.320545
https://vuldb.com/?submit.630625

Configurations

No configuration.

History

19 Aug 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 21:15

Updated : 2025-08-19 21:15

NVD link : CVE-2025-9168

Mitre link : CVE-2025-9168

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/Gabrielmouraofc/PoC_Vuldb/blob/main/%F0%9F%93%84POC%20Stored%20XSS%202.md", "name": "https://github.com/Gabrielmouraofc/PoC_Vuldb/blob/main/%F0%9F%93%84POC%20Stored%20XSS%202.md", "tags": [], "refsource": ""}, {"url": "https://github.com/Gabrielmouraofc/PoC_Vuldb/blob/main/%F0%9F%93%84POC%20Stored%20XSS%202.md#-exploitation-steps", "name": "https://github.com/Gabrielmouraofc/PoC_Vuldb/blob/main/%F0%9F%93%84POC%20Stored%20XSS%202.md#-exploitation-steps", "tags": [], "refsource": ""}, {"url": "https://vuldb.com/?ctiid.320545", "name": "VDB-320545 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [], "refsource": ""}, {"url": "https://vuldb.com/?id.320545", "name": "VDB-320545 | SolidInvoice Invoice Creation invoice cross site scripting", "tags": [], "refsource": ""}, {"url": "https://vuldb.com/?submit.630625", "name": "Submit #630625 | Open-Source SolidInvoice 2.4.0 Stored Cross-Site Scripting (XSS)", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A vulnerability was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-9168", "ASSIGNER": "cna@vuldb.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}}, "publishedDate": "2025-08-19T21:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-08-19T21:15Z"}