CVE-2025-2609: 
MagnusSolution MagnusBilling vulnerability analysis and mitigation

MagnusBilling, a VoIP billing platform, was found to contain a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-2609. The vulnerability was discovered in version 7.3.0 and earlier versions, where improper neutralization of input during web page generation in the login logging functionality allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read (Chocapikk Blog, NVD).

The vulnerability exists in the login logging mechanism where user input from failed login attempts is stored without proper sanitization or encoding. When a user attempts to log in, their username is stored directly in the database without any input validation. This stored data is later rendered in the admin's browser context when viewing the login logs. The vulnerability is specifically associated with program files protected/components/MagnusLog.Php. The CVSS v3.1 base score is 8.2 (HIGH) according to VulnCheck's assessment, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (VulnCheck Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code in the administrator's browser context. This can lead to potential session hijacking, CSRF attacks, and complete admin panel compromise. The severity is heightened by the fact that the vulnerability can be exploited without authentication, making it accessible to any remote attacker (Chocapikk Blog).

The vulnerability has been patched by the vendor through the implementation of CHtml::encode for input sanitization. Users are advised to update to the latest version of MagnusBilling that includes the security fix. The patch was released on March 21, 2025, and is available in the GitHub repository (GitHub Patch).

The vulnerability was initially reported via email on March 19, 2025, followed by communication through the official Telegram support group on March 21. The MagnusBilling team responded promptly and released a patch the same day. VulnCheck collaborated in indexing the CVE, ensuring proper visibility and tracking of the vulnerability (Chocapikk Blog).