cbcvebase.
CVE-2025-2610
published 2025-03-21

CVE-2025-2610: Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling (Alarm Module modules) allows authenticated stored…

PriorityP276medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.86%
54.1th percentile
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling (Alarm Module modules) allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php. This issue affects MagnusBilling: through 7.3.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
magnussolutionmagnusbilling<= 7.3.0
msrccbl2_vim_9.0.1562-1_on_cbl_mariner_2.0
msrccm1_vim_9.0.1562-1_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

url/mbilling/index.php/authentication/login
url/mbilling/index.php/authentication/check
url/mbilling/index.php/alarm/save
url/mbilling/index.php/alarm/read
pathprotected/components/MagnusLog.Php
commandrows={"id":0,"id_plan":0,"type":1,"amount":1,"condition":1,"status":1,"email":"{{email}}","period":3600,"creationdate":null,"subject":"test","message":""}
  • Detect exploitation attempts by monitoring POST requests to /mbilling/index.php/alarm/save containing script injection payloads in the 'rows' JSON body parameter (subject/message fields).
  • Monitor GET requests to /mbilling/index.php/alarm/read for responses containing unexpected script tags, indicating stored XSS payload retrieval.
  • Shodan/FOFA fingerprint for exposed MagnusBilling instances: search for http.html:"magnusbilling" or body="magnusbilling".
  • Authentication to MagnusBilling uses a SHA1-hashed password submitted via POST to /mbilling/index.php/authentication/login with fields user= and password=; the default credential hash for 'magnus' is 9F4CA770B638615AC5C3E0D2DA16B77C80C2F2C6.
  • The vulnerability resides in the Alarm Module; inspect the protected/components/MagnusLog.Php file for missing output encoding on alarm subject/message fields.
  • ·The exploit requires prior authentication (PR:L); the PoC template uses hardcoded credentials (username: root, password hash for 'magnus'). Real-world exploitation depends on valid authenticated session cookies being present.
  • ·The stored XSS payload is injected via the alarm/save endpoint and only triggers when another user (e.g., an administrator) views the alarm list via alarm/read, requiring UI interaction (UI:R in CVSS).
  • ·Affected versions are MagnusBilling through 7.3.0; the nuclei template targets this version range and may produce false positives or negatives on patched (7.3.1+) instances.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vulncheck7.6HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.