Facturascripts
Monthly
FacturaScripts is open-source enterprise resource planning and accounting software. [CVSS 8.8 HIGH]
Authenticated users can execute arbitrary SQL commands against FacturaScripts REST API endpoints through unsanitized sort parameters in the ModelClass::getOrderBy() method, allowing data theft, modification, or deletion. Public exploit code exists for this vulnerability affecting all versions prior to 2025.81. Organizations using vulnerable FacturaScripts instances should immediately apply the available patch and restrict API access to trusted users.
FacturaScripts versions 2025.71 and earlier contain a stored XSS vulnerability in the Observations field that executes arbitrary JavaScript when administrators view historical data. An authenticated attacker can inject malicious scripts that persist in the database and compromise admin sessions, with public exploit code already available. The vulnerability remains unpatched and requires administrator interaction to trigger.
Reflected cross-site scripting in FacturaScripts prior to version 2025.8 allows authenticated attackers to inject malicious scripts through crafted input that triggers database errors, which are then rendered without HTML sanitization due to unsafe Twig template filters. Public exploit code exists for this vulnerability. The issue affects error message handling and requires user interaction to exploit, with impacts limited to session hijacking or credential theft within the affected user's browser context.
FacturaScripts is open-source enterprise resource planning and accounting software. [CVSS 8.8 HIGH]
Authenticated users can execute arbitrary SQL commands against FacturaScripts REST API endpoints through unsanitized sort parameters in the ModelClass::getOrderBy() method, allowing data theft, modification, or deletion. Public exploit code exists for this vulnerability affecting all versions prior to 2025.81. Organizations using vulnerable FacturaScripts instances should immediately apply the available patch and restrict API access to trusted users.
FacturaScripts versions 2025.71 and earlier contain a stored XSS vulnerability in the Observations field that executes arbitrary JavaScript when administrators view historical data. An authenticated attacker can inject malicious scripts that persist in the database and compromise admin sessions, with public exploit code already available. The vulnerability remains unpatched and requires administrator interaction to trigger.
Reflected cross-site scripting in FacturaScripts prior to version 2025.8 allows authenticated attackers to inject malicious scripts through crafted input that triggers database errors, which are then rendered without HTML sanitization due to unsafe Twig template filters. Public exploit code exists for this vulnerability. The issue affects error message handling and requires user interaction to exploit, with impacts limited to session hijacking or credential theft within the affected user's browser context.