H4Cd0C

**Name of the Vulnerable Software and Affected Versions** FacturaScripts versions prior to 2025.8 **Description** FacturaScripts is susceptible to a reflected cross-site scripting (XSS) issue stemming from improper handling of error messages. The application utilizes Twig's `| raw` filter, which bypasses HTML escaping. When a database error occurs—such as providing a string where an integer is expected—the resulting error message, including the input, is rendered without sanitization. This allows attackers to inject malicious scripts into the error message, potentially leading to credential phishing or other attacks. The vulnerability exists in the `Core/View/Macro/Utils.html.twig` file, specifically on line 27. The issue is triggered by sending crafted input through parameters like `code` in API endpoints such as `/EditProducto?code=`, `/EditCliente?code=`, `/EditFacturaCliente?code=`, and `/EditProveedor?code=`. The error logging occurs in `Core/Base/DataBase.php` around line 236. Attackers can leverage this to steal credentials by injecting a fake login form, read page data, or potentially execute keyloggers and bypass CSRF protections. **Recommendations** Versions prior to 2025.8: Remove `| raw` from line 27 in `Core/View/Macro/Utils.html.twig`.