BichitroGan ISP Billing Software Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in BichitroGan ISP Billing Software version 2025.3.20. The issue arises in the Pool List Interface, specifically within the file '/?_route=pool/add'. This vulnerability allows administrators to inject JavaScript into the Pool Name field, which is then executed when the data is displayed in the Pool List interface. The injected script is not properly sanitized before being rendered as HTML, creating an opportunity for cross-site scripting attacks. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, unauthorized actions, and compromise of admin accounts. If an admin account is targeted, it could result in a full system takeover.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Add Pool' interface. Enter a script tag payload into the 'Pool Name' field and save the entry. Then, visit the 'Pool List' interface to see the injected script execute.

Remediation

It is recommended to properly escape output using htmlspecialchars, validate input to allow only safe characters, and implement Content Security Policy headers.