关联漏洞
描述
CVE-2025-55579
介绍
# CVE-2025-55579 - SolidInvoice Stored Cross-Site Scripting (XSS) in Tax Rates
## Summary
SolidInvoice is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Tax Rates Feature. An authenticated attacker can inject arbitrary JavaScript into the application, which will then execute in users' browsers.
## Affected Versions
* **Vulnerable:** 2.3.7
* **Fixed:** 2.3.8
## Impact
Exploitation allows a malicious user to store arbitrary JavaScript in the application, which will execute in the context of other authenticated users who view the *Tax Rates* page. If the application is deployed in a multi-user environment - for example, with multiple admins, this could lead to:
* Session hijacking
* Credential or token theft
* Phishing or social engineering attacks
* Arbitrary actions performed on behalf of another user
## Proof-of-Concept
1. Navigate to *System > Tax Rates > Add Tax Rate*.
2. Enter a payload in the *Name* field with the following format:
```
<image/src/onerror=prompt(1)>
```
3. Fill in all required fields and save the tax rate.
4. Visit *System > Tax Rates* to trigger the script.
## Remediation
Update SolidInvoice to version **2.3.8 or later**.
## References
**Product:** https://solidinvoice.co/
文件快照
[4.0K] /data/pocs/6786f65d2f3bd67533405ada0a21c77ef7be8305
└── [1.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。