FacturaScripts Stored Cross-Site Scripting Vulnerability in History View

A stored cross-site scripting vulnerability has been identified in FacturaScripts versions through 2025.71. The issue resides in the Observations field within the History view, where data is displayed without adequate HTML entity encoding. This flaw enables an attacker to execute arbitrary JavaScript in the browser of an administrator viewing the history.

Impact

Exploitation of this vulnerability allows for full account takeover of an admin account, bypassing CSRF protections and the need for current password verification when changing credentials. This gives the attacker complete access to the system's management, sensitive financial data, and user configurations.

Reproduction

To reproduce this vulnerability, log in as a regular user and navigate to 'Sales' -> 'Customers' -> 'Delivery Notes'. Select or create a customer and open the 'Delivery Notes' section. Create a new delivery note or edit an existing one, filling the 'Observations' field with malicious JavaScript. Save the note, then log out and log back in as an admin. Go to the 'History' tab to see the JavaScript execute.