The vulnerability stems from the fsNick cookie, which is reflected unchanged into the HTML DOM by FacturaScripts. Because the cookie value is not encoded or sanitized before rendering, a malicious payload can be injected and executed as soon as the page loads, even though the server subsequently forces a logout. This allows an attacker to run arbitrary client‑side code within the victim’s browser session, potentially defacing the interface or exfiltrating session data. AFFECTED SYSTEMS NeoRazorX FacturaScripts versions 2025.7 and earlier are affected. The flaw has been corrected in 2025.8; no earlier versions are listed as patched. RISK AND EXPLOITABILITY The published CVSS score of 3.9 indicates low severity. EPSS data is not available, so the current exploit probability is uncertain, but the flaw is not in the CISA KEV catalog. The attack vector is client‑side, requiring an attacker to set a crafted fsNick cookie in the victim’s browser—either by direct manipulation or by persuading the user to load a malicious payload. Once the page loads, the script runs immediately, bypassing the server‑side logout.

NeoRazorX FacturaScripts versions 2025.7 and prior

The CVSS score of 3.9 denotes low severity, and EPSS is currently unavailable, making the breach likelihood unclear. The vulnerability is not listed in CISA KEV. The flaw is exploitable by modifying the fsNick cookie to inject arbitrary JavaScript; an attacker needs to convince a user to load such a cookie or insert it manually. As the payload executes before the logout process completes, it can authorise further client‑side actions while the session is still valid. The danger is therefore limited to the compromised browser, but it could facilitate phishing, credential theft, or defacement.