Listen to this Post
The vulnerability exists in the `fsNick` cookie parameter of FacturaScripts. The application reads the cookie value and directly injects it into the HTML DOM without any encoding or sanitization. An attacker can modify the `fsNick` cookie to contain malicious JavaScript. When the victim’s browser sends a request with this tampered cookie, the server reflects the payload into the page. The server eventually detects the invalid session and forces a logout, but the HTML containing the malicious script is rendered and executed before the redirect occurs. This timing allows the script to run in the victim’s context. The provided Proof of Concept uses `` as the cookie value. The script executes immediately upon page load, effectively beating the logout redirect. Because the execution happens before the session is discarded, an attacker could potentially perform a single unauthorized action (e.g., changing a setting or submitting a form) using the victim’s session. The severity is rated Low because it requires the attacker to manipulate the victim’s cookie (e.g., via a separate XSS or man-in-the-middle) and only yields a very narrow window of opportunity. No CVE identifier has been assigned to this advisory as of the publication date.
dailycve form:
Platform: FacturaScripts
Version: Not specified
Vulnerability: Reflected XSS
Severity: Low
Date: May 7 2026
Prediction: May 14 2026
Analytics under heading What Undercode Say:
Simulate malicious cookie injection using curl curl -H "Cookie: fsNick=<script>alert(window.origin)</script>" https://target-facturascripts.com/dashboard Extract cookie from browser devtools or document.cookie (if not HttpOnly) echo 'document.cookie="fsNick=<script>alert(window.origin)</script>"' | xclip Monitor logs for reflected payload grep "fsNick" /var/log/facturascripts/access.log | grep "<script"
how Exploit:
- Intercept a request to any FacturaScripts page using a proxy (Burp/ZAP).
2. Modify the `fsNick` cookie value to: ``.
- Forward the request to the victim (e.g., via CSRF or phishing link with pre-set cookie).
- The payload executes in the victim’s browser before the forced logout.
- Use the JavaScript to perform one action (e.g.,
fetch('/admin/user/create', {method:'POST'})).
Protection from this CVE
- Sanitize all cookie-derived values before rendering in HTML (use `htmlspecialchars()` in PHP or equivalent).
- Set the `HttpOnly` flag on the `fsNick` cookie to prevent JavaScript access, though server-side reflection still needs encoding.
- Implement a Content Security Policy (CSP) that disallows inline script execution.
- Reject invalid sessions before generating any HTML output (i.e., perform session validation at the very beginning of the request lifecycle).
- Use a web application firewall to detect and block cookie values containing HTML tags or JavaScript.
Impact:
Malicious script executes inside the victim’s session context before logout, allowing a single unauthorized action such as changing account details, creating a privileged user, or exfiltrating a small amount of data. The impact is limited to one request due to immediate session termination.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
