CVE-2025-9168 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice, a web-based invoicing application, affecting versions up to and including 2.4.0. The vulnerability resides in the Invoice Creation Module, specifically in the processing of the /invoice endpoint. The flaw arises from improper sanitization or validation of the 'Client Name' parameter, which allows an attacker to inject malicious scripts. This vulnerability can be exploited remotely without authentication, requiring only user interaction to trigger the malicious payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is necessary to execute the attack. The impact primarily affects the confidentiality and integrity of the affected user's session or data, as the injected scripts could be used to steal cookies, session tokens, or perform actions on behalf of the user. The vendor was notified but did not respond, and no official patches or mitigations have been released. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. This vulnerability is significant because SolidInvoice is used by small to medium enterprises for financial operations, and exploitation could lead to unauthorized access to sensitive financial data or manipulation of invoicing information.

For European organizations using SolidInvoice, this vulnerability could lead to unauthorized disclosure of sensitive client and financial information, potentially violating GDPR requirements for data protection. Attackers could leverage the XSS flaw to hijack user sessions, perform fraudulent invoicing actions, or inject malicious content that compromises the integrity of financial records. The medium severity score reflects a moderate risk; however, the financial nature of the application elevates the potential business impact, including reputational damage and regulatory penalties. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to trick employees into triggering the exploit. Organizations relying on SolidInvoice for invoicing and client management should be aware that exploitation could disrupt business operations and lead to financial loss or data breaches.

Given the lack of an official patch, European organizations should implement immediate compensating controls. These include: 1) Input validation and sanitization at the web application firewall (WAF) level to detect and block malicious payloads targeting the 'Client Name' parameter; 2) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts; 3) Educate users about phishing risks and suspicious links to reduce the likelihood of user interaction with malicious content; 4) Monitor web server logs and application behavior for unusual activities related to the /invoice endpoint; 5) If feasible, isolate the SolidInvoice application in a segmented network zone with restricted access; 6) Consider migrating to alternative invoicing solutions or upgrading to a patched version once available; 7) Regularly back up invoicing data to enable recovery in case of compromise. Additionally, organizations should maintain up-to-date detection signatures in intrusion detection/prevention systems (IDS/IPS) to identify exploitation attempts.