CVE-2025-55579 PoC — SolidInvoice 安全漏洞

Source

https://github.com/ddobrev25/CVE-2025-55579

Associated Vulnerability

Title:SolidInvoice 安全漏洞 (CVE-2025-55579)
Description:SolidInvoice version 2.3.7 is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Tax Rates functionality. The vulnerability is fixed in version 2.3.8.

Description

CVE-2025-55579

Readme

# CVE-2025-55579 - SolidInvoice Stored Cross-Site Scripting (XSS) in Tax Rates

## Summary
SolidInvoice is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Tax Rates Feature. An authenticated attacker can inject arbitrary JavaScript into the application, which will then execute in users' browsers.
## Affected Versions
* **Vulnerable:** 2.3.7
* **Fixed:** 2.3.8

## Impact
Exploitation allows a malicious user to store arbitrary JavaScript in the application, which will execute in the context of other authenticated users who view the *Tax Rates* page. If the application is deployed in a multi-user environment - for example, with multiple admins, this could lead to:
* Session hijacking
* Credential or token theft
* Phishing or social engineering attacks
* Arbitrary actions performed on behalf of another user

## Proof-of-Concept
1. Navigate to *System > Tax Rates > Add Tax Rate*.
2. Enter a payload in the *Name* field with the following format:
   ```
   <image/src/onerror=prompt(1)>
   ```
3. Fill in all required fields and save the tax rate.
4. Visit *System > Tax Rates* to trigger the script.

## Remediation
Update SolidInvoice to version **2.3.8 or later**.

## References
**Product:** https://solidinvoice.co/

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!