FacturaScripts Library Module Unstripped Image Metadata Leakage Vulnerability

A sensitive information disclosure vulnerability has been identified in the Library module of FacturaScripts, an open-source accounting and invoicing software. In versions prior to 2026, the Library module stored uploaded images without removing embedded EXIF, XMP, and IPTC metadata. This oversight allowed any authenticated user who downloaded an image to access the uploader's personal information, including GPS coordinates, device details, timestamps, comments, thumbnail previews, and other personally identifiable information (PII). The vulnerability is particularly concerning as it could lead to unintentional disclosure of sensitive information, such as an employee's home address, to other users with Library download access.

Impact

The vulnerability allows for the extraction of unstripped metadata from downloaded images, including GPS coordinates, device information, timestamps, comments, thumbnail previews, and other PII. This creates a one-to-many exposure vector in a shared-access environment, such as an ERP system, where multiple users can access the same Library resources.

Reproduction

To reproduce this vulnerability, upload an image with rich EXIF metadata, including GPS coordinates and personal comments, to the Library module. After the upload, download the image and use a tool like 'exiftool' to extract the metadata. The downloaded image will retain all original metadata, including sensitive information such as location data and personal identifiers.

Remediation

Users are advised to update to FacturaScripts version 2026, where this vulnerability has been addressed. For those using earlier versions, implement server-side metadata stripping for all image uploads in the Library module before storage, and retroactively clean up existing images.