CVE-2025-55579 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting SolidInvoice version 2.3.7, specifically within its Tax Rates functionality. Stored XSS occurs when malicious scripts are injected into a web application’s data storage and later executed in the browsers of users who access the affected content. In this case, an attacker with at least limited privileges (PR:L) and requiring user interaction (UI:R) can inject malicious JavaScript code into the Tax Rates feature. When other users view or interact with the compromised tax rate data, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability has a CVSS v3.1 base score of 5.4, reflecting a medium risk level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires some privileges and user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). The vulnerability is fixed in SolidInvoice version 2.3.8. There are no known exploits in the wild at the time of publication. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. Since SolidInvoice is an invoicing and billing system, the Tax Rates functionality is likely used by finance or accounting personnel, making the user base potentially limited but sensitive. Attackers exploiting this vulnerability could steal session cookies, perform actions on behalf of users, or deliver further malware payloads via the injected scripts.

For European organizations using SolidInvoice 2.3.7 or earlier, this vulnerability poses a risk to the confidentiality and integrity of financial data and user sessions. Compromise of user sessions could lead to unauthorized access to sensitive invoicing and tax information, manipulation of billing data, or fraudulent transactions. Given that invoicing systems are integral to business operations, exploitation could disrupt financial workflows and damage trust with clients and partners. The requirement for user interaction and privileges limits the attack surface but does not eliminate risk, especially in environments where multiple users have access to the invoicing system. Additionally, the scope change indicates that the impact could extend beyond the immediate component, potentially affecting other parts of the application or integrated systems. European organizations are subject to strict data protection regulations such as GDPR; a breach involving financial or personal data could result in regulatory penalties and reputational damage. Although no exploits are currently known in the wild, the presence of a public CVE and a fix in version 2.3.8 means attackers may attempt to develop exploits, increasing urgency for patching.

1. Immediate upgrade to SolidInvoice version 2.3.8 or later to apply the official patch that fixes the Stored XSS vulnerability. 2. Implement strict input validation and output encoding on all user-supplied data within the Tax Rates functionality to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 4. Limit user privileges to the minimum necessary, especially for users who can modify tax rates or other critical financial data. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 6. Educate users about the risks of interacting with untrusted content and encourage cautious behavior when clicking links or opening data within the invoicing system. 7. Monitor logs and application behavior for unusual activities that could indicate exploitation attempts. 8. If upgrading immediately is not feasible, consider temporary mitigations such as disabling the Tax Rates editing feature or restricting access to trusted administrators only.