MagnusSolution MagnusBilling Alarm Module Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Alarm Module of MagnusSolution MagnusBilling, affecting versions through 7.3.0. This issue arises from improper input sanitization during web page generation, allowing authenticated users to inject malicious scripts that are executed when the alerts are viewed by administrators.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of an admin user, potentially leading to session hijacking, cross-site request forgery, and compromise of the admin panel.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/mbilling/index.php/alarm/save' endpoint. The request must include a 'rows' parameter with a 'message' field containing a JavaScript payload, such as an image tag (with an invalid image source) using an 'onerror' event. Once the payload is injected, it will execute when an admin accesses the '/mbilling/index.php/alarm/read' endpoint.

Remediation

Users can update to the latest version of MagnusBilling, where this vulnerability has been patched. The patch is available on the MagnusBilling GitHub repository.