HostBill Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in HostBill versions through 2025-12-01. This vulnerability allows remote attackers to inject malicious JavaScript payloads that are executed in the context of users who view the affected content. The issue arises from inadequate input validation and output encoding, enabling the injection of arbitrary scripts into various components of the application, including knowledge base articles, support ticket department names, and contract fields.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user viewing the affected content, potentially leading to self-XSS scenarios for the administrator who injected the script.

Reproduction

To reproduce this vulnerability, log into the HostBill admin panel and navigate to 'Manage Clients' then 'Ticket Department'. Add a new ticket department or modify an existing one by inserting a malicious JavaScript payload into the department name. After saving the changes, log in as another administrator or client and open the affected support ticket field to observe the executed script.

Remediation

Users are advised to update HostBill to the latest version.