CVE-2025-2610
Published: 21 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-2610 is an improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling, specifically within the Alarm Module, that enables authenticated stored cross-site scripting (XSS). The issue is associated with the program file protected/components/MagnusLog.Php and affects MagnusBilling versions through 7.3.0. It has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N) and is categorized under CWE-79 (Cross-site Scripting).
An authenticated attacker with low privileges can exploit this stored XSS vulnerability over the network with low complexity by injecting malicious payloads into the Alarm Module. Exploitation requires user interaction, such as a victim viewing the affected page, after which the changed scope allows the attacker to achieve high confidentiality impact by stealing sensitive data like session cookies or credentials, alongside low integrity impact, but no availability disruption.
Mitigation is addressed in a patch commit available at https://github.com/magnussolution/magnusbilling7/commit/f0f083c76157e31149ae58342342fb1bf1629e22. Additional details on the vulnerability and remediation are provided in advisories from https://vulncheck.com/advisories/magnusbilling-alarm-xss and https://chocapikk.com/posts/2025/magnusbilling/. Security practitioners should update to a patched version and review access controls for the Alarm Module.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in web app enables browser session hijacking and stealing web session cookies via injected scripts executed on victim page views.