CVE-2025-2610: 
MagnusSolution MagnusBilling vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability has been identified in MagnusSolution MagnusBilling's Alarm Module through version 7.3.0. The vulnerability exists in the program files protected/components/MagnusLog.Php, where improper neutralization of input during web page generation allows authenticated users to perform stored cross-site scripting attacks (NVD, Chocapikk Blog).

The vulnerability stems from the Alarm module's message field, which stores user input without proper sanitization or encoding. When the stored data is later displayed, it is rendered without proper encoding, allowing for JavaScript execution in the browser context. The CVSS v3.1 base score is 7.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, indicating a network-accessible vulnerability requiring low attack complexity and user interaction (VulnCheck Advisory).

When exploited, this vulnerability allows authenticated users to execute arbitrary JavaScript code in the context of other users' browsers, particularly administrators viewing the alarm logs. This can lead to potential session hijacking, CSRF attacks, and compromise of the admin panel (Chocapikk Blog).

The vulnerability has been patched in a GitHub commit that implements proper input encoding using CHtml::encode(). Users should update their MagnusBilling installations to the latest version that includes this security fix (GitHub Patch).

The vulnerability was initially reported via email on March 19, 2025, followed by a Telegram group notification on March 21, 2025. The MagnusBilling team responded promptly and released a patch on the same day. The security community has noted that the vulnerability's discovery during casual browsing suggests potential for more security issues in the codebase (Chocapikk Blog).