GHSA-4V7V-7V7R-3R5H

Vulnerability from github – Published: 2026-02-02 18:17 – Updated: 2026-02-03 16:12
VLAI?
Summary
FacturaScripts has Stored Cross-Site Scripting (XSS) in "Observations" field via History View
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators.

Details

When an administrator views the History tab of that specific note, the script executes in their browser session.

PoC

  1. Log in as a regular user.

  2. Open "Sales"=>"Customers"=> "Delivery Notes" image

  3. Chose one of the customer or create the new one.

  4. Open "Delivery notes" image

  5. Create a new Delivery Note or edit an existing one. Fill the "Number 2" field with any value and save. image image
  6. In the Observations field, enter the malicious JavaScript and save it again. image image
  7. Now we have record in "History" tab. image
  8. Logout and login as admin. Next go to the "History" tab with malicious code: image image image image image

Result: Upon opening the history record, the onerror event triggers, executing the JavaScript and displaying an alert box with the application's origin.

Impact

Change admin password via XSS: image image image image Admin password was changed image

This vulnerability results in a Critical Full Account Takeover, allowing any user with note-editing permissions to seize control of the admin account. It successfully bypasses CSRF protections and exploits the lack of "current password" verification during credential changes. Once compromised, the attacker gains total access to the system's management, sensitive financial data, and user configurations.

Technical requirements & Complexity

The attack requires prior technical knowledge of the internal API structure (field names and required values), which can be obtained by a legitimate user through browser developer tools. While it requires the target's code (e.g., admin), this is a common default value in most installations.

Severity ?
8.0 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "facturascripts/facturascripts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2025.71"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T18:17:33Z",
    "nvd_published_at": "2026-02-02T23:16:07Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of  viewing the history by administrators.\n\n### Details\nWhen an administrator views the History tab of that specific note, the script executes in their browser session.\n\n### PoC\n\n1. Log in as a regular user.\n2. Open \"Sales\"=\u003e\"Customers\"=\u003e \"Delivery Notes\"\n\u003cimg width=\"818\" height=\"223\" alt=\"image\" src=\"https://github.com/user-attachments/assets/82518644-2676-42db-93b1-86133986276c\" /\u003e\n\n3.  Chose one of the customer or create the new one.\n\n4. Open \"Delivery notes\"\n\u003cimg width=\"2078\" height=\"713\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f7e5027f-e574-4807-9e9c-bf8a51bc1fff\" /\u003e\n5. Create a new Delivery Note or edit an existing one. Fill the \"Number 2\" field with any value and save.\n\u003cimg width=\"2097\" height=\"739\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a3ca5ccb-3d9a-4cfc-a991-16206a1a862b\" /\u003e\n\u003cimg width=\"2097\" height=\"858\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9ca39755-4be6-4303-ab3c-b589cd222daf\" /\u003e\n6. In the Observations field, enter the malicious JavaScript and save it again.\n\u003cimg width=\"2097\" height=\"870\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f189c53b-8b73-44e8-bb18-bd46f37cef4f\" /\u003e\n\u003cimg width=\"1539\" height=\"885\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b2d20eb1-246e-4acc-b904-77bc85373873\" /\u003e\n7. Now we have record in \"History\" tab.\n\u003cimg width=\"2096\" height=\"768\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6b76d7d4-fc2c-4eb1-9137-4e4ba7287b9b\" /\u003e\n8. Logout and login as admin. Next go to the \"History\" tab with malicious code:\n\u003cimg width=\"1730\" height=\"702\" alt=\"image\" src=\"https://github.com/user-attachments/assets/54f4af37-72f3-47a0-9669-2b1f6293f2b4\" /\u003e\n\u003cimg width=\"1749\" height=\"670\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f7689083-0128-473c-a4e2-1898e801df78\" /\u003e\n\u003cimg width=\"1479\" height=\"587\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4a6d6e4e-4645-4566-be92-9964c470456e\" /\u003e\n\u003cimg width=\"1541\" height=\"505\" alt=\"image\" src=\"https://github.com/user-attachments/assets/484d9e5f-596a-4508-a9cb-752e16e6564f\" /\u003e\n\u003cimg width=\"2095\" height=\"904\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5462f11c-b274-40e6-af00-d10e7fc1e855\" /\u003e\n\nResult: Upon opening the history record, the onerror event triggers, executing the JavaScript and displaying an alert box with the application\u0027s origin.\n\n### Impact\n\nChange admin password via XSS:\n\u003cimg width=\"2094\" height=\"1260\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7598f986-0618-46e1-9dc7-64655975b19e\" /\u003e\n\u003cimg width=\"1584\" height=\"1137\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3e2302bc-01a3-4c47-ba9a-e69413e932b3\" /\u003e\n\u003cimg width=\"2084\" height=\"373\" alt=\"image\" src=\"https://github.com/user-attachments/assets/21523278-5bcc-4743-8557-4b6563a127d0\" /\u003e\n\u003cimg width=\"1665\" height=\"787\" alt=\"image\" src=\"https://github.com/user-attachments/assets/eca4d5b7-5dec-410f-9c59-99084821e350\" /\u003e\nAdmin password was changed\n\u003cimg width=\"1488\" height=\"598\" alt=\"image\" src=\"https://github.com/user-attachments/assets/53d3f4c1-accd-4136-8235-0fe5b287bbfe\" /\u003e\n\nThis vulnerability results in a Critical Full Account Takeover, allowing any user with note-editing permissions to seize control of the admin account. It successfully bypasses CSRF protections and exploits the lack of \"current password\" verification during credential changes. Once compromised, the attacker gains total access to the system\u0027s management, sensitive financial data, and user configurations.\n\n### Technical requirements \u0026 Complexity\nThe attack requires prior technical knowledge of the internal API structure (field names and required values), which can be obtained by a legitimate user through browser developer tools. While it requires the target\u0027s code (e.g., admin), this is a common default value in most installations.",
  "id": "GHSA-4v7v-7v7r-3r5h",
  "modified": "2026-02-03T16:12:21Z",
  "published": "2026-02-02T18:17:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23997"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NeoRazorX/facturascripts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FacturaScripts has Stored Cross-Site Scripting (XSS) in \"Observations\" field via History View"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.