GHSA-r736-2678-fcrx MEDIUM composer/facturascripts/facturascripts

CVE: CVE-2026-42877

Summary

A stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note.

Affected files

• Core/Lib/AjaxForms/SalesModalHTML.php
• Core/Lib/AjaxForms/PurchasesModalHTML.php

Vulnerability details

The referencia field of a product variant is injected directly into an HTML onclick attribute string without JavaScript context escaping:

// SalesModalHTML.php ~line 102
$tbody .= '<tr onclick="return salesFormAction(\'add-product\', \''
    . $row['referencia']   // no htmlspecialchars() applied
    . '\');">';

When a product is saved, noHtml() encodes ' → '. This appears safe in static HTML context. However, the modal HTML is later returned as a JSON response and inserted into the DOM via innerHTML:

// SalesDocument.html.twig line 118
document.getElementById("findProductList").innerHTML = data.products;

The browser HTML parser decodes ' → ' during the innerHTML assignment, breaking out of the JavaScript string literal in the onclick attribute and executing the injected code.

Attack payload stored in database: x'+alert(1)+'

Resulting onclick after innerHTML decode:

return salesFormAction('add-product', 'x'+alert(1)+'')
//                                        ^^^^^^^^^^ executes before the function call

Steps to reproduce

Step 1 — Inject the payload

1. Log in as a user with write access to Warehouse → Products

2. Navigate to /EditProducto and create a new product with the following values:

FieldValue Reference`x'+alert(1)+'` Description`test`

3. Save the product

Step 2 — Trigger the XSS

1. Make sure at l

📌 来源: GitHub-Advisory | 🆔 CVE-2026-42877 | 📅 2026-05-07