BichitroGan ISP Billing Software Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in BichitroGan ISP Billing Software version 2025.3.20. The issue arises in the Profile Page Handler component, specifically within the file '/?_route=settings/users-view/' . This vulnerability allows users to inject malicious JavaScript into the 'fullname' field, which is then executed in the browsers of users viewing the affected page, including administrators. The injection occurs because the application fails to properly encode output before rendering it, enabling the execution of harmful scripts.

Impact

Exploitation of this vulnerability allows for session hijacking, credential theft, unauthorized actions, and privilege escalation if an administrator views the injected payload.

Reproduction

To reproduce this vulnerability, log in as a normal user and navigate to the profile edit page. Enter a script payload into the fullname field and save the changes. Then, visit the profile page or the admin user view page to observe the executed payload.

Remediation

It is recommended to escape output using proper encoding functions, validate input to restrict special characters, and implement consistent output encoding across all templates.