BichitroGan ISP Billing Software Cross-Site Scripting Vulnerability in Customer Edit Function

A stored cross-site scripting vulnerability has been identified in BichitroGan ISP Billing Software version 2025.3.20. The issue arises in the Customer Handler component, specifically within the customer edit route. The application allows users to input data into the Full Name and Home Address fields without proper sanitization or output encoding. As a result, malicious JavaScript payloads can be injected and executed in the browsers of users viewing the affected pages. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for session hijacking, credential theft, unauthorized actions, and privilege escalation if an admin views the injected payload.

Reproduction

To reproduce this vulnerability, log into the application as a user or admin. Navigate to the customer edit page and enter a script payload into the Full Name and Home Address fields. After saving the changes, visit the customer list page to observe the executed payload.

Remediation

It is recommended to sanitize user inputs using functions like htmlspecialchars, validate input strictly, implement Content Security Policy headers, and avoid rendering raw user input.