CVE-2025-2609
Published: 21 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-2609 is an improper neutralization of input during web page generation vulnerability in MagnusSolution's MagnusBilling software, manifesting as a stored cross-site scripting (XSS) issue in the login logging feature. Unauthenticated users can inject HTML content into logs viewable at /mbilling/index.php/logUsers/read, with the flaw tied to the protected/components/MagnusLog.Php file. This affects MagnusBilling versions through 7.3.0 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), mapped to CWE-79.
Unauthenticated attackers can exploit this over the network with low attack complexity but require user interaction, such as a victim viewing the tainted logs. Exploitation enables stored XSS, yielding high confidentiality impact through potential theft of sensitive data like session cookies or credentials from affected users, alongside low integrity impact and changed scope, with no availability disruption.
A patch addressing this vulnerability is available in the MagnusBilling GitHub repository via commit f0f083c76157e31149ae58342342fb1bf1629e22. Further mitigation details appear in advisories at https://chocapikk.com/posts/2025/magnusbilling/ and https://vulncheck.com/advisories/magnusbilling-logs-xss.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing web app directly enables T1190 for initial access via unauthenticated injection; facilitates T1539 by allowing injected scripts to steal session cookies/credentials from users viewing logs.