SCA: security update for facturascripts/facturascripts (GHSA-2267-xqcf-gw2m)

medium Tenable Self-Hosted Container Security Plugin ID 436561

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version
2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality.
Authenticated users can upload crafted XML files containing executable JavaScript. These files are later
rendered by the application without sufficient sanitization or content-type enforcement, allowing
arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users
are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript
in an administrator’s browser session. Version 2025.7 fixes the issue. (CVE-2025-69210)

See Also

https://github.com/advisories/GHSA-2267-xqcf-gw2m

Plugin Details

Severity: Medium

ID: 436561

Version: Revision 1.49

Type: Local

Family: SCA Checks

Published: 1/3/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.59

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2025-69210

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 1.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/30/2025

Vulnerability Publication Date: 12/30/2025

Reference Information

CVE: CVE-2025-69210

cwe: CWE-79