CVE-2025-9168 in SolidInvoice
Summary
by MITRE • 08/20/2025
A vulnerability was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/20/2025
CVE-2025-9168 represents a cross site scripting vulnerability within SolidInvoice version 2.4.0 and earlier, specifically within the Invoice Creation Module. This vulnerability manifests when processing requests to the /invoice endpoint where the Client Name parameter is improperly handled, allowing malicious actors to inject malicious scripts into the application's response. The flaw resides in the application's failure to properly sanitize or encode user input before rendering it in the web interface, creating an avenue for attackers to execute arbitrary JavaScript code within the context of other users' browsers. The vulnerability's remote exploitability means that attackers can leverage this weakness without requiring physical access to the system or local network presence, making it particularly dangerous for web-based applications. The fact that the exploit has been made public and is actively usable significantly increases the risk to affected organizations, as malicious actors can readily implement this attack without requiring advanced technical skills or specialized tools.
The technical nature of this vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws where untrusted data is incorporated into web pages without proper validation or encoding. This particular implementation flaw occurs during the invoice creation process when the application fails to properly escape or sanitize the Client Name field before displaying it in the generated invoice template. The attack vector operates through a standard web request where an attacker crafts a malicious Client Name value containing script tags or other malicious code that gets executed when legitimate users view the invoice. This type of vulnerability falls under the ATT&CK technique T1566.001 which covers "Phishing: Spearphishing Attachment" and T1566.002 which covers "Phishing: Spearphishing Link", as attackers can deliver malicious payloads through compromised invoice creation processes. The vulnerability's impact extends beyond simple script execution to potentially enable session hijacking, credential theft, and further lateral movement within the application environment.
The operational impact of CVE-2025-9168 is substantial for organizations using SolidInvoice, as successful exploitation could allow attackers to impersonate legitimate users, access sensitive financial data, modify invoice information, or redirect users to malicious websites. The vulnerability affects the core functionality of the invoice creation module, which is likely a critical business process for the application's users, potentially disrupting normal operations while simultaneously providing attackers with persistent access to the system. Organizations that have not yet patched this vulnerability face increased risk of data breaches, financial loss, and regulatory compliance violations, particularly if the application handles sensitive customer information or financial records. The lack of vendor response to early disclosure attempts compounds the situation, leaving affected parties without official patches or guidance during the critical period when the vulnerability is actively exploited in the wild, forcing organizations to rely on community resources or implement emergency mitigations.
Organizations should immediately implement mitigations including input validation and output encoding for all user-supplied data, particularly fields used in invoice creation processes. The recommended approach involves implementing strict sanitization of the Client Name parameter and other similar fields to prevent script injection attempts, utilizing established libraries or frameworks that automatically handle XSS protection. Additionally, organizations should consider implementing Content Security Policy headers to limit script execution capabilities within the application's context, and deploy web application firewalls to detect and block malicious requests targeting this vulnerability. The application should also implement proper logging and monitoring to detect attempts to exploit this vulnerability, including tracking unusual input patterns in invoice creation requests. Given the public availability of the exploit and the vendor's lack of response, organizations should prioritize patching or implementing workarounds immediately, as the window for exploitation remains open and the vulnerability continues to pose an active threat to deployed systems.