CVE-2026-27964

描述

### Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. ### Details The fsNick cookie is rendered into the DOM without encoding. While the server does reject the modified session and forces a logout, the HTML containing the payload reaches the browser first. This lets the script execute immediately upon load, effectively beating the redirect. ### PoC 1. Log in to the application with any valid account. <img width="2078" height="302" alt="image" src="https://github.com/user-attachments/assets/d8a9a779-44e0-4a3e-839f-0a031868fbd5" /> 2. Capture any the GET request . <img width="1267" height="276" alt="image" src="https://github.com/user-attachments/assets/22e43f73-4f86-4cab-a074-7aba584a71ac" /> 3. Modify the value of "fsNick" with the following JavaScript: `<script>alert(window.origin)</script>` 4. Send the modified request. <img width="1569" height="319" alt="image" src="https://github.com/user-attachments/assets/ade88db1-aadc-4c50-9e02-d09888067e98" /> 5. Result <img width="1217" height="771" alt="image" src="https://github.com/user-attachments/assets/5858fe9f-127a-4845-b484-5a7ef4ae2cb4" /> ### Impact The payload executes before the session ends, which could potentially allow for a single unauthorized action before the logout.

受影響套件(1)

• Packagist/facturascripts/facturascriptsfrom 0, <= 2025.71

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27964
• PATCHhttps://github.com/NeoRazorX/facturascripts
• WEBhttps://github.com/NeoRazorX/facturascripts/commit/9066e10326029adf012114e27eb5f3f33f78ecfd
• WEBhttps://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-gq5c-rw37-g46c