Scan free
CRITICALCVE-2022-1571CVSS 9.9

CVE-2022-1571: XSS in facturascripts

Platform

php

Component

facturascripts

Fixed in

2022.07

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2022-1571 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in the facturascripts application prior to version 2022.07. This flaw allows attackers to inject arbitrary JavaScript code into the application, potentially compromising user accounts and sensitive data. The vulnerability resides within the 'Create Subaccount' functionality and has been assigned a CVSS score of 9.9 (CRITICAL). A patch was released in version 2022.07.

Impact and Attack Scenarios

The impact of CVE-2022-1571 is significant due to the ease of exploitation and the potential for widespread compromise. An attacker can leverage this XSS vulnerability to execute malicious JavaScript code within the context of a victim's browser session. This allows them to steal session cookies, effectively impersonating the user and gaining unauthorized access to their account. Furthermore, the injected script can perform HTTP requests to other domains, potentially exfiltrating sensitive data or launching further attacks against the victim's network. The 'same origin' restriction limits the scope of actions within the application itself, but the ability to steal cookies and perform external requests represents a serious security risk.

Exploitation Context

CVE-2022-1571 was publicly disclosed on May 4, 2022. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation make it a likely target for opportunistic attackers. No proof-of-concept code has been publicly released, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.32% (55% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L9.9CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentfacturascripts
Vendorneorazorx
Affected rangeFixed in
unspecified – 2022.072022.07

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2022-1571 is to immediately upgrade facturascripts to version 2022.07 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output encoding on the 'Create Subaccount' page. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a layer of protection. Regularly review and update WAF rules to ensure they are effective against emerging threats. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the 'Create Subaccount' field and confirming that it is properly sanitized.

How to fix

Actualice facturascripts a la versión 2022.07 o posterior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) reflejado en la creación de subcuentas.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-1571 — Cross-Site Scripting (XSS) in facturascripts?

CVE-2022-1571 is a critical XSS vulnerability in facturascripts versions before 2022.07, allowing attackers to inject malicious JavaScript code.

Am I affected by CVE-2022-1571 in facturascripts?

You are affected if you are using facturascripts versions prior to 2022.07. Upgrade immediately to mitigate the risk.

How do I fix CVE-2022-1571 in facturascripts?

Upgrade facturascripts to version 2022.07 or later. Consider temporary workarounds like input validation and WAF rules if immediate upgrade is not possible.

Is CVE-2022-1571 being actively exploited?

While no active campaigns are confirmed, the CRITICAL severity and ease of exploitation make it a likely target for attackers.

Where can I find the official facturascripts advisory for CVE-2022-1571?

Refer to the facturascripts GitHub repository (neorazorx/facturascripts) for updates and advisories related to CVE-2022-1571.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs