CVE-2025-69210 (CNNVD-202512-5076)
中文标题:
FacturaScripts 跨站脚本漏洞
英文标题:
FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload
漏洞描述
中文描述:
FacturaScripts是西班牙Carlos Garcia个人开发者的一个开源 ERP 软件。 FacturaScripts 2025.7之前版本存在跨站脚本漏洞,该漏洞源于产品文件上传功能清理和内容类型强制不足,可能导致存储型跨站脚本攻击。
英文描述:
FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| NeoRazorX | facturascripts | < 2025.7 | - | - |
cpe:2.3:a:neorazorx:facturascripts:<_2025.7:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
CVSS评分详情
4.0 (cna)
LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-69210 |
2025-12-31 03:16:23 | 2026-01-12 02:12:33 |
| NVD | nvd_CVE-2025-69210 |
2026-01-01 04:27:49 | 2026-01-12 02:28:15 |
| CNNVD | cnnvd_CNNVD-202512-5076 |
2026-01-11 06:15:04 | 2026-01-12 02:38:08 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 跨站脚本
- cnnvd_id: 未提取 -> CNNVD-202512-5076
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']