CVE-2025-2609 Scanner

MagnusBilling is an open-source VoIP billing solution commonly used by telecom companies, service providers, and IT administrators to manage call routing, billing, and account management for voice-over-IP systems. The software offers a web interface for user management, reporting, and call history tracking. It is widely deployed in Asterisk-based telephony infrastructures. Designed for scalability and integration, MagnusBilling is typically used in Linux-based environments and supports authentication and authorization for various user roles. It provides logging features, detailed usage statistics, and customizable billing plans. Due to its widespread use in sensitive telecommunications environments, any security issues in MagnusBilling can have serious operational consequences.

The vulnerability allows unauthenticated users to inject persistent JavaScript payloads into the login logs section of MagnusBilling. This occurs due to improper input sanitization in the logging component located at `/mbilling/index.php/logUsers/read`. The vulnerability is classified as stored Cross-Site Scripting (XSS), meaning the injected content is stored on the server and executed in the browser when viewed. Attackers can exploit this flaw without needing authentication. The issue stems from lack of filtering in the log display system, allowing raw HTML/JavaScript to be rendered. This allows malicious payloads to persist across user sessions and potentially impact multiple users.

Technical analysis shows that the vulnerable endpoint is `/mbilling/index.php/logUsers/read`, which is accessible after authentication. However, attackers can initially submit XSS payloads during a failed login attempt using the endpoint `/mbilling/index.php/authentication/login`. These payloads are logged by the system and then rendered by the administrator interface without proper escaping. The malicious content is stored in the logging module located at `protected/components/MagnusLog.Php`. The detection mechanism checks for a script embedded in the username field and later verifies its appearance in the log output. The vulnerability arises due to a failure to neutralize user input before writing it to logs. This lack of output encoding enables stored JavaScript execution in user browsers.

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript in the context of an admin session. Attackers might steal session cookies, perform unauthorized actions, or redirect users to malicious sites. It could also be used to launch phishing attacks or harvest login credentials through spoofed login pages. In environments handling sensitive call or billing data, such exploitation could compromise user confidentiality. Furthermore, the stored nature of the XSS means the attack persists and affects any user who views the logs. Over time, this can lead to wider compromise of administrative accounts and internal systems.

REFERENCES

• https://vulncheck.com/advisories/magnusbilling-logs-xss
• https://chocapikk.com/posts/2025/magnusbilling/
• https://nvd.nist.gov/vuln/detail/CVE-2025-2609