cbcvebase.
CVE-2025-2609
published 2025-03-21

CVE-2025-2609: Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store…

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.10%
61.5th percentile
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is associated with program files protected/components/MagnusLog.Php. This issue affects MagnusBilling: through 7.3.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
magnussolutionmagnusbilling<= 7.3.0
msrccbl2_vim_9.0.1562-1_on_cbl_mariner_2.0
msrccm1_vim_9.0.1562-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

url/mbilling/index.php/logUsers/read
path/mbilling/index.php/authentication/login
path/mbilling/index.php/authentication/check
path/mbilling/index.php/logUsers/read?_dc=&page=1&start=0&limit=25
pathprotected/components/MagnusLog.Php
  • Detect unauthenticated POST requests to the MagnusBilling login endpoint with empty or anomalous 'user' field — a precursor to injecting stored XSS payloads into login logs
  • Monitor HTTP responses from /mbilling/index.php/authentication/login for the string 'combination is invalid' combined with absence of 'Trying SQL inject' — indicates the login logging path is active and injectable
  • Alert on GET requests to /mbilling/index.php/logUsers/read that return HTTP 200 with body containing 'User: ' — this is the log viewer where stored XSS payloads execute
  • Use Shodan/FOFA queries to identify exposed MagnusBilling instances as attack surface for this stored XSS vulnerability
  • Inspect the 'user' and 'password' POST body parameters submitted to /mbilling/index.php/authentication/login for embedded HTML/JavaScript — these values are stored unsanitized in login logs
  • ·The default MagnusBilling admin credentials used in the Nuclei template (username 'root', password hash '9F4CA770B638615AC5C3E0D2DA16B77C80C2F2C6') are required for the detection flow steps 2–4; the XSS injection itself (step 1) is unauthenticated
  • ·The vulnerability affects MagnusBilling through version 7.3.0 only; instances running 7.3.1 or later are not affected

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.2HIGH
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.