Primary

Context

SolidInvoice Stored Cross-Site Scripting Vulnerability in Clients Module

Vulnerability

A stored cross-site scripting vulnerability has been identified in SolidInvoice versions through 2.4.0. The issue resides in the Clients Module, specifically within the '/clients' file. The vulnerability is triggered by manipulating the 'Name' parameter, allowing for the injection of malicious JavaScript. This exploit can be executed remotely and, once injected, the script is stored and executed automatically when the clients list is accessed.

Impact

Exploitation of this vulnerability allows for the persistent execution of injected JavaScript in the browsers of users who access the clients list.

Reproduction

To reproduce this vulnerability, log into the SolidInvoice application and navigate to the 'Add New Client' section. Inject a script payload into the 'Name' field and submit the form. The injected script will be executed when the 'Clients List' page is accessed.

Added: Aug 19, 2025, 11:19 PM

Updated: Aug 19, 2025, 11:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SolidInvoice Stored Cross-Site Scripting Vulnerability in Clients Module

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating