CVE-2025-55580 is a stored cross-site scripting (XSS) vulnerability identified in SolidInvoice version 2.3.7, specifically within the Clients module. This vulnerability allows an authenticated attacker to inject malicious JavaScript code into the application, which then executes in the browsers of other users who view the Clients page. Stored XSS vulnerabilities are particularly dangerous because the malicious script is permanently stored on the target server, affecting any user who accesses the compromised page. In this case, the attacker must have some level of authenticated access (low privileges) to inject the payload, and user interaction is required for the malicious script to execute (i.e., other users must visit the Clients page). The vulnerability impacts confidentiality and integrity by potentially allowing session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim user. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (medium severity), with the vector indicating network attack vector, low attack complexity, requiring privileges, user interaction, and a scope change. The vulnerability was fixed in SolidInvoice version 2.3.8. No known exploits are currently reported in the wild. The CWE classification is CWE-79, which corresponds to improper neutralization of input leading to XSS.

For European organizations using SolidInvoice 2.3.7 or earlier, this vulnerability poses a moderate risk. Since SolidInvoice is an invoicing and billing software, it likely handles sensitive financial and client data. Exploitation could lead to unauthorized disclosure of client information, session hijacking, or manipulation of invoicing data, potentially resulting in financial fraud or reputational damage. The requirement for attacker authentication limits the attack surface to insiders or compromised accounts, but the scope change and stored nature of the XSS increase the risk of lateral movement and persistent exploitation. European organizations with multiple users accessing the Clients module are at higher risk, as the malicious script can affect multiple users. The absence of known exploits reduces immediate risk, but the medium severity and ease of exploitation (low complexity) warrant prompt remediation. Compliance with GDPR also means that any data breach resulting from exploitation could lead to regulatory penalties.

European organizations should upgrade SolidInvoice to version 2.3.8 or later, where the vulnerability is patched. Until the upgrade is applied, organizations should restrict access to the Clients module to trusted users only and monitor for suspicious activity or unusual client-side behavior. Implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Additionally, input validation and output encoding should be reviewed and enhanced in custom deployments or integrations. Regularly auditing user privileges to minimize the number of users with access to the Clients module reduces the attack surface. Logging and monitoring for anomalous client-side script execution or unexpected changes in client data can help detect exploitation attempts early. Finally, educating users about the risks of XSS and encouraging cautious behavior when interacting with the Clients page can reduce the likelihood of successful exploitation.