CVE-2025-1076

Vulnerability

Overview

A Stored Cross-Site Scripting (Stored XSS) vulnerability, identified as CVE-2025-1076, has been discovered in the Holded cloud invoicing application. The flaw resides in the Activities functionality, where an attacker with sufficient privileges can inject arbitrary JavaScript payloads into the editable name and icon parameters. Because the payload is stored server-side, it executes every time a user accesses the affected activity, leading to persistent script injection [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have high-level privileges (e.g., administrator or manager roles) that allow modification of activity fields. The attack requires user interaction (UI:R) and has a scope change (S:C), meaning the injected script can affect resources beyond the vulnerable component. The CVSS v3.1 base score is 4.8 (Medium), with the vector: AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N [1].

Impact and

Mitigation

Successful exploitation could lead to disclosure of limited confidential information (C:L) and low-integrity impact (I:L) by modifying or exfiltrating data within the victim's session. Holded addressed the vulnerability on 2 May 2024 by enforcing a Content Security Policy (CSP) that blocks inline scripts and restricts script uploads to a whitelist of domains. As a result, there is no active risk on the Holded platform for users on the patched version [1].

References

[1] INCIBE advisory (INCIBE-2025-0060) on CVE-2025-1076.