CVE-2025-2609
published 2025-03-21CVE-2025-2609: Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.10%
61.5th percentile
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php.
This issue affects MagnusBilling: through 7.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magnussolution | magnusbilling | <= 7.3.0 | — |
| msrc | cbl2_vim_9.0.1562-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_vim_9.0.1562-1_on_cbl_mariner_1.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the MagnusBilling login endpoint with empty or anomalous 'user' field — a precursor to injecting stored XSS payloads into login logs ↗
- →Monitor HTTP responses from /mbilling/index.php/authentication/login for the string 'combination is invalid' combined with absence of 'Trying SQL inject' — indicates the login logging path is active and injectable ↗
- →Alert on GET requests to /mbilling/index.php/logUsers/read that return HTTP 200 with body containing 'User: ' — this is the log viewer where stored XSS payloads execute ↗
- →Use Shodan/FOFA queries to identify exposed MagnusBilling instances as attack surface for this stored XSS vulnerability ↗
- →Inspect the 'user' and 'password' POST body parameters submitted to /mbilling/index.php/authentication/login for embedded HTML/JavaScript — these values are stored unsanitized in login logs ↗
- ·The default MagnusBilling admin credentials used in the Nuclei template (username 'root', password hash '9F4CA770B638615AC5C3E0D2DA16B77C80C2F2C6') are required for the detection flow steps 2–4; the XSS injection itself (step 1) is unauthenticated ↗
- ·The vulnerability affects MagnusBilling through version 7.3.0 only; instances running 7.3.1 or later are not affected ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.2HIGH
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fxw9-g6g5-mfqx: Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users t
ghsa_unreviewed·2025-03-22
CVE-2025-2609 [HIGH] CWE-79 GHSA-fxw9-g6g5-mfqx: Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users t
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php.
This issue affects MagnusBilling: through 7.3.0.
VulnCheck
magnussolution magnusbilling Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2025·CVSS 8.2
CVE-2025-2609 [HIGH] magnussolution magnusbilling Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
magnussolution magnusbilling Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php.
This issue affects MagnusBilling: through 7.3.0.
Affected: magnussolution magnusbilling
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://chocapikk.com/posts/2025/magnusbilling/
Microsoft
NULL Pointer Dereference in vim/vim
vendor_msrc·2023-05-09·CVSS 5.5
CVE-2023-2609 [MEDIUM] CWE-476 NULL Pointer Dereference in vim/vim
NULL Pointer Dereference in vim/vim
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
@huntr_ai: @huntr_ai
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.c
No detection rules found.
Nuclei
MagnusBilling Login Logs - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2025-2609 [MEDIUM] MagnusBilling Login Logs - Cross-Site Scripting
MagnusBilling Login Logs - Cross-Site Scripting
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php.This issue affects MagnusBilling- through 7.3.0.
Template:
id: CVE-2025-2609
info:
name: MagnusBilling Login Logs - Cross-Site Scripting
author: DhiyaneshDK
severity: high
description: |
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component ac
No writeups or analysis indexed.
2025-03-21
Published
Exploited in the wild