CVE-2025-9168 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice versions up to 2.4.0, specifically within the Invoice Creation Module's /invoice endpoint. The vulnerability arises due to improper sanitization or validation of the 'Client Name' parameter, which can be manipulated by an attacker to inject malicious scripts. This flaw allows an attacker to craft a specially crafted request that, when processed by the vulnerable endpoint, results in the execution of arbitrary JavaScript code in the context of the victim's browser. The attack vector is remote and does not require prior authentication, although it requires some user interaction (UI:P) to trigger the malicious payload. The CVSS 4.0 score of 5.1 reflects a medium severity level, indicating moderate impact primarily on confidentiality and integrity with limited impact on availability. The vulnerability does not require privileges but does require user interaction, and the scope is unchanged, meaning the exploit affects only the vulnerable component without extending to other system components. The vendor has been contacted but has not responded or provided a patch, and no known exploits are currently observed in the wild. This vulnerability could be leveraged for session hijacking, credential theft, or delivering further malware through the victim's browser, especially targeting users who interact with the invoicing system. Given the nature of invoicing software, which often contains sensitive financial and client data, exploitation could lead to data leakage or unauthorized actions within the invoicing platform.

For European organizations using SolidInvoice, this vulnerability poses a risk of client-side attacks that could compromise user sessions and expose sensitive financial data. Since invoicing systems are integral to business operations, successful exploitation could disrupt business workflows, lead to data breaches involving client information, and damage organizational reputation. The medium severity suggests that while the vulnerability is not critical, it still presents a tangible risk, especially in environments where multiple users access the invoicing system via web browsers. Attackers could exploit this vulnerability to perform phishing attacks, steal authentication tokens, or manipulate invoice data, potentially leading to financial fraud or compliance violations under regulations such as GDPR. The lack of vendor response and absence of patches increases the risk exposure for organizations relying on this software. Additionally, the remote attack vector means that attackers do not need internal access, increasing the threat surface for organizations with externally accessible invoicing portals.

Organizations should immediately assess their use of SolidInvoice and identify if affected versions (2.0 through 2.4.0) are in deployment. Since no official patch is available, mitigation should focus on implementing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the /invoice endpoint and the Client Name parameter. Input validation and output encoding should be enforced at the application level if source code access and modification are possible. Restricting access to the invoicing system to trusted networks or VPNs can reduce exposure. User education to recognize suspicious invoice-related links or behaviors can help mitigate social engineering attempts leveraging this vulnerability. Monitoring web server logs for unusual requests to the /invoice endpoint and anomalous client-side script execution can aid in early detection. Organizations should also consider isolating the invoicing system from critical internal networks to limit lateral movement in case of compromise. Finally, engaging with the vendor or community for updates or patches and planning for an upgrade once a fix is available is essential.