Listen to this Post
How the mentioned CVE works:
The vulnerability resides in the product search modal used in sales and purchase documents.
When a product variant is saved, its `referencia` field is encoded by `noHtml()` turning `’` into &39;.
This encoding appears safe for static HTML but fails when the modal HTML is later returned as JSON and injected via innerHTML.
Inside `SalesModalHTML.php` (line ~102), the `referencia` is concatenated directly into an `onclick` attribute:
`
`
No `htmlspecialchars()` is applied to the `referencia` value in this JavaScript context.
An attacker with warehouse access creates a product with reference payload: x'+alert(1)+'.
The payload is stored in the database as `x&39;+alert(1)+&39;` after `noHtml()` encoding.
When a victim (e.g., administrator) opens an invoice and clicks the product search button, the modal HTML is fetched.
The server returns a JSON response containing the malicious `onclick` string with &39;.
The frontend assigns `data.products` to `document.getElementById(“findProductList”).innerHTML`.
The browser‘s HTML parser decodes `&39;` back to a raw single quote '.
Thus the `onclick` becomes: `return salesFormAction(‘add-product’, ‘x’+alert(1)+’‘);`
The injected `alert(1)` executes immediately because it is no longer inside a string literal – it becomes JavaScript concatenation.
This stored XSS triggers in any user who opens the product search modal, regardless of their privilege level.
No further user interaction is required after the product is created.
The attack bypasses HttpOnly cookies because the script runs inside the authenticated session.
dailycve form:
Platform: FacturaScripts
Version: Not specified
Vulnerability: Stored XSS
Severity: Critical
date: Not disclosed
Prediction: 30 days post-disclosure
What Undercode Say:
Find vulnerable onclick concatenation in affected files
grep -n "onclick=.referencia.." Core/Lib/AjaxForms/SalesModalHTML.php
grep -n "onclick=.referencia.." Core/Lib/AjaxForms/PurchasesModalHTML.php
Test payload injection via curl (authenticated)
curl -X POST 'https://target.com/EditProducto' \
-H 'Cookie: session=...' \
-d 'referencia=x%27%2Balert(1)%2B%27&descripcion=test'
Simulate innerHTML decode issue using node
echo 'x&39;+alert(1)+&39;' | htmlq --decode
How Exploit:
1. Login as warehouse user.
2. Create product with reference: `x’+alert(1)+’`
3. Save product.
4. As victim, open invoice (`/EditFacturaCliente?codcliente=…`).
5. Click product search button; malicious product appears.
6. Click the product row → JavaScript executes.
Protection from this CVE:
- Apply `htmlspecialchars($row[‘referencia’], ENT_QUOTES, ‘UTF-8’)` before inserting into
onclick.
- Replace `innerHTML` with `innerText` or `textContent` for dynamic product list rendering.
- Use CSP (Content Security Policy) script-src to block inline handlers.
- Sanitize all output to JavaScript context with proper escaping.
Impact:
Arbitrary JavaScript execution in victim’s browser. Attacker can perform authenticated requests (create admin users, exfiltrate invoices, steal data, redirect to phishing). Privilege escalation from low‑privilege warehouse employee to full admin session takeover.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin 
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.
The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
No `htmlspecialchars()` is applied to the `referencia` value in this JavaScript context.
An attacker with warehouse access creates a product with reference payload: x'+alert(1)+'.
The payload is stored in the database as `x&39;+alert(1)+&39;` after `noHtml()` encoding.
When a victim (e.g., administrator) opens an invoice and clicks the product search button, the modal HTML is fetched.
The server returns a JSON response containing the malicious `onclick` string with &39;.
The frontend assigns `data.products` to `document.getElementById(“findProductList”).innerHTML`.
The browser‘s HTML parser decodes `&39;` back to a raw single quote '.
Thus the `onclick` becomes: `return salesFormAction(‘add-product’, ‘x’+alert(1)+’‘);`
The injected `alert(1)` executes immediately because it is no longer inside a string literal – it becomes JavaScript concatenation.
This stored XSS triggers in any user who opens the product search modal, regardless of their privilege level.
No further user interaction is required after the product is created.
The attack bypasses HttpOnly cookies because the script runs inside the authenticated session.
dailycve form:
Platform: FacturaScripts
Version: Not specified
Vulnerability: Stored XSS
Severity: Critical
date: Not disclosed
Prediction: 30 days post-disclosure
What Undercode Say:
Find vulnerable onclick concatenation in affected files grep -n "onclick=.referencia.." Core/Lib/AjaxForms/SalesModalHTML.php grep -n "onclick=.referencia.." Core/Lib/AjaxForms/PurchasesModalHTML.php Test payload injection via curl (authenticated) curl -X POST 'https://target.com/EditProducto' \ -H 'Cookie: session=...' \ -d 'referencia=x%27%2Balert(1)%2B%27&descripcion=test' Simulate innerHTML decode issue using node echo 'x&39;+alert(1)+&39;' | htmlq --decode
How Exploit:
1. Login as warehouse user.
2. Create product with reference: `x’+alert(1)+’`
3. Save product.
4. As victim, open invoice (`/EditFacturaCliente?codcliente=…`).
5. Click product search button; malicious product appears.
6. Click the product row → JavaScript executes.
Protection from this CVE:
- Apply `htmlspecialchars($row[‘referencia’], ENT_QUOTES, ‘UTF-8’)` before inserting into
onclick. - Replace `innerHTML` with `innerText` or `textContent` for dynamic product list rendering.
- Use CSP (Content Security Policy) script-src to block inline handlers.
- Sanitize all output to JavaScript context with proper escaping.
Impact:
Arbitrary JavaScript execution in victim’s browser. Attacker can perform authenticated requests (create admin users, exfiltrate invoices, steal data, redirect to phishing). Privilege escalation from low‑privilege warehouse employee to full admin session takeover.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.