CVE-2025-55579 PoC — SolidInvoice 安全漏洞

Source

Associated Vulnerability

Description

CVE-2025-55579

Readme

# CVE-2025-55579 - SolidInvoice Stored Cross-Site Scripting (XSS) in Tax Rates

## Summary
SolidInvoice is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Tax Rates Feature. An authenticated attacker can inject arbitrary JavaScript into the application, which will then execute in users' browsers.
## Affected Versions
* **Vulnerable:** 2.3.7
* **Fixed:** 2.3.8

## Impact
Exploitation allows a malicious user to store arbitrary JavaScript in the application, which will execute in the context of other authenticated users who view the *Tax Rates* page. If the application is deployed in a multi-user environment - for example, with multiple admins, this could lead to:
* Session hijacking
* Credential or token theft
* Phishing or social engineering attacks
* Arbitrary actions performed on behalf of another user

## Proof-of-Concept
1. Navigate to *System > Tax Rates > Add Tax Rate*.
2. Enter a payload in the *Name* field with the following format:
   ```
   <image/src/onerror=prompt(1)>
   ```
3. Fill in all required fields and save the tax rate.
4. Visit *System > Tax Rates* to trigger the script.

## Remediation
Update SolidInvoice to version **2.3.8 or later**.

## References
**Product:** https://solidinvoice.co/

File Snapshot

 [4.0K]  /data/pocs/6786f65d2f3bd67533405ada0a21c77ef7be8305
└── [1.2K]  README.md

0 directories, 1 file

Remarks