CVE-2025-9170 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice versions up to 2.4.0, specifically within the Tax Rates Module at the /tax/rates endpoint. The vulnerability arises from improper sanitization or validation of the 'Name' argument in an unknown function of this module, allowing an attacker to inject malicious scripts. This flaw can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but it requires user interaction. The impact primarily affects the confidentiality and integrity of user sessions, potentially enabling attackers to execute arbitrary JavaScript in the context of the victim's browser, leading to session hijacking, credential theft, or redirection to malicious sites. The vendor was notified early but has not responded or released a patch, and while no known exploits are currently active in the wild, a public exploit is available, increasing the risk of exploitation.

For European organizations using SolidInvoice, particularly those managing invoicing and tax rates through the vulnerable versions, this XSS vulnerability poses a significant risk. Attackers could exploit this flaw to steal session cookies or credentials of users, potentially gaining unauthorized access to sensitive financial data or administrative functions. This could lead to financial fraud, data breaches involving client information, and reputational damage. Since SolidInvoice is used for invoicing, compromised systems could disrupt billing operations, impacting business continuity. The lack of vendor response and patch availability increases exposure time. Additionally, given the remote exploitability and public availability of the exploit code, attackers could target European SMEs and enterprises relying on SolidInvoice, especially those with web-facing interfaces accessible to clients or employees. The vulnerability could also be leveraged as a foothold for further attacks within corporate networks.

Organizations should immediately assess their use of SolidInvoice and identify any instances running versions 2.0 through 2.4.0. Until an official patch is released, implement the following mitigations: 1) Employ web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the /tax/rates endpoint and suspicious input in the 'Name' parameter. 2) Enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Conduct input validation and sanitization at the application layer if possible by applying custom patches or filters to sanitize the 'Name' parameter. 4) Limit access to the Tax Rates Module to trusted users and IP addresses via network segmentation or VPNs. 5) Educate users about the risks of clicking on suspicious links or inputs that could trigger XSS attacks. 6) Monitor logs for unusual activity or repeated attempts to exploit this vulnerability. 7) Consider temporary disabling or restricting the vulnerable module if feasible. Organizations should also maintain vigilance for vendor updates or community patches and apply them promptly once available.