1.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-69210

CVE-2025-69210: FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator’s browser session. Version 2025.7 fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-69210

CVE-2025-69210:

1.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions
facturascripts/facturascripts	composer	<= 2025.4
facturascripts/facturascripts	composer	= 2025.11
facturascripts/facturascripts	composer	= 2025.41
facturascripts/facturascripts	composer	= 2025.43

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the handling of uploaded files within the Myfiles controller. The provided patch e908ade21c84bdc9d51190057482316730c66146 clearly shows modifications to Core/Controller/Myfiles.php. The key change is in the run() method, which is responsible for serving the files. Previously, the code only forced a download for SVG files. The patch expands this protection to include XML, HTML, and other potentially dangerous file types by replacing isSvg() with a more comprehensive shouldForceDownload() check. This indicates that the run() method was the point of vulnerability, as it would serve user-uploaded XML files with a content type that allowed browsers to execute embedded scripts, leading to the stored XSS. The run() function is therefore the primary vulnerable function that would appear in a runtime profile during the exploitation of this vulnerability.

Vulnerable functions

Myfiles::run

Core/Controller/Myfiles.php

The `run` function in `Core/Controller/Myfiles.php` was vulnerable to a stored XSS attack. Before the patch, it did not properly sanitize or enforce content-type restrictions on uploaded files. This allowed authenticated users to upload malicious XML files with embedded JavaScript. When another user, such as an administrator, accessed the uploaded file, the `run` function would serve the file without forcing a download. This caused the browser to render the XML file, executing the malicious JavaScript in the victim's session. The patch mitigates this by introducing the `shouldForceDownload` function, which checks for dangerous file extensions and MIME types (including XML) and forces the browser to download the file instead of rendering it.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

1.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-69210: FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload

CVE-2025-69210:

1.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

1.2

1.2

CVE-2025-69210: FacturaScripts vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI