CVE-2025-9171 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice versions up to 2.4.0, specifically within the Clients Module at the /clients endpoint. The vulnerability arises from improper sanitization or validation of the 'Name' argument, allowing an attacker to inject malicious scripts. This flaw can be exploited remotely without authentication, requiring only user interaction to trigger the payload. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), but user interaction is necessary (UI:P). The impact primarily affects the integrity and limited confidentiality of the affected system, as the XSS can be used to hijack user sessions, steal cookies, or perform actions on behalf of the victim user. The vendor has not responded to disclosure attempts, and no official patches or mitigations have been released, increasing the risk for organizations using affected versions. Although no known exploits are currently in the wild, the public availability of the exploit code raises the likelihood of exploitation in the near future.

For European organizations using SolidInvoice up to version 2.4.0, this vulnerability poses a tangible risk to client data confidentiality and user session integrity. Since SolidInvoice is an invoicing and billing platform, exploitation could lead to unauthorized access to sensitive financial information, client details, and potentially manipulation of billing data. This could result in financial fraud, reputational damage, and regulatory non-compliance, especially under GDPR requirements for protecting personal data. The remote exploitability without authentication means attackers can target exposed SolidInvoice instances over the internet, increasing the attack surface. The requirement for user interaction suggests phishing or social engineering could be used to trigger the attack, which is a common vector in European cybercrime campaigns. The lack of vendor response and patches means organizations must rely on their own mitigations, increasing operational risk. The medium severity rating reflects moderate impact but ease of exploitation, making it a relevant threat for European SMEs and enterprises using this software.

Given the absence of official patches, European organizations should immediately implement the following mitigations: 1) Apply strict input validation and output encoding on the 'Name' parameter within the Clients Module, either by customizing the application code or using web application firewalls (WAFs) with rules targeting this specific XSS pattern. 2) Restrict access to the /clients endpoint to trusted internal networks or VPNs to reduce exposure to remote attackers. 3) Educate users about phishing and social engineering risks to minimize the chance of user interaction triggering the exploit. 4) Monitor web server and application logs for suspicious input patterns or anomalous requests targeting the vulnerable parameter. 5) Consider deploying Content Security Policy (CSP) headers to limit the execution of injected scripts. 6) Plan for an upgrade or migration to a patched or alternative invoicing solution once available, as reliance on unpatched software increases risk. 7) Regularly back up invoicing data and verify integrity to enable recovery in case of compromise.