CVE-2025-9169 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice versions up to 2.4.0, specifically within the Quote Module's /quotes endpoint. The vulnerability arises from improper sanitization or validation of the 'Name' argument, allowing an attacker to inject malicious scripts. This flaw enables remote exploitation without requiring authentication, as the attack vector is accessible over the network (AV:N). The attack complexity is low (AC:L), and no privileges are needed (PR:L indicates low privileges, but the vector suggests no authentication required). User interaction is required (UI:P), meaning the victim must interact with a crafted link or input for the exploit to succeed. The vulnerability impacts the integrity and confidentiality of user sessions by potentially executing arbitrary JavaScript in the context of the victim's browser, leading to session hijacking, credential theft, or unauthorized actions. The vendor has not responded to early notifications, and no patches or mitigations have been published yet. The CVSS v4.0 score is 5.1, categorizing this as a medium severity issue. Although no known exploits are currently in the wild, the public disclosure increases the risk of exploitation. The vulnerability affects multiple versions (2.0 through 2.4.0), indicating a broad exposure for users of this invoicing software. Given the nature of SolidInvoice as a billing and invoicing platform, exploitation could lead to manipulation of financial data or unauthorized access to sensitive client information.

For European organizations using SolidInvoice, this vulnerability poses a significant risk to the confidentiality and integrity of financial and client data. Successful exploitation could allow attackers to execute malicious scripts in the browsers of employees or clients, potentially leading to session hijacking, theft of sensitive information, or unauthorized transactions. This could damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data breaches), and cause financial losses. Since invoicing systems are critical for business operations, disruption or compromise could affect business continuity. The medium severity rating suggests moderate risk; however, the lack of vendor response and patches increases exposure. Organizations relying on SolidInvoice for billing should be particularly vigilant, as attackers might leverage this vulnerability to target European SMEs and enterprises that use this software for client invoicing and financial management.

1. Immediate mitigation should include implementing web application firewalls (WAFs) with custom rules to detect and block malicious input patterns targeting the 'Name' parameter in the /quotes endpoint. 2. Employ strict input validation and output encoding on all user-supplied data, especially in the Quote Module, to prevent script injection. 3. Restrict access to the invoicing system to trusted networks or VPNs to reduce exposure to remote attackers. 4. Monitor logs for unusual requests or repeated attempts to inject scripts via the vulnerable parameter. 5. Educate users to avoid clicking on suspicious links or inputs that could trigger the XSS payload. 6. As no official patch is available, consider temporary application-level mitigations such as disabling or limiting the functionality of the /quotes endpoint if feasible. 7. Plan for rapid deployment of patches or updates once the vendor releases a fix. 8. Conduct regular security assessments and penetration testing focused on web application vulnerabilities to detect similar issues proactively.