Stored Cross-Site Scripting vulnerability in Holded
- Holded software.
INCIBE has coordinated the publication of a medium severity vulnerability affecting Holded, a cloud invoicing software for small and medium-sized companies, which has been discovered by Jesús Alcalde Alcázar and Diego León Casas.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2025-1076 : CVSS v3.1: 4.8 | CVSS AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | CWE-79
The reported vulnerability was fixed on 2 May 2024. The CSP (Content Security Policy) configuration implemented by Holded is designed to prevent the execution of inline scripts and restrict the uploading of scripts only to domains specified in its whitelist. This effectively mitigates script injection, as is the case with this vulnerability.
There is currently no active risk associated with this vulnerability in the Holded platform.
CVE-2025-1076: a Stored Cross-Site Scripting (Stored XSS) vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality.
