CVE-2025-2610
Published: 21 March 2025
Summary
CVE-2025-2610 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Magnussolution Magnusbilling. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 18.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-2610 is an improper neutralization of input during web page generation flaw, classified as CWE-79 stored cross-site scripting, that affects the Alarm Module in MagnusSolution MagnusBilling through version 7.3.0. The issue is tied to the program file protected/components/MagnusLog.Php and carries a CVSS 3.1 score of 7.6.
An authenticated attacker with network access can supply crafted input that is stored and later rendered for other users, resulting in script execution with changed scope, high confidentiality impact, and limited integrity effects.
Public references point to a fix in the MagnusBilling repository commit f0f083c76157e31149ae58342342fb1bf1629e22 along with analysis from VulnCheck and Chocapikk that describe the vulnerability and remediation steps. The associated EPSS score remains low with only a modest peak of 0.0229.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7201
Vulnerability details
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling (Alarm Module modules) allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php. This issue affects MagnusBilling: through 7.3.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in web app enables browser session hijacking and stealing web session cookies via injected scripts executed on victim page views.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation mechanisms to neutralize malicious payloads injected into the Alarm Module's MagnusLog.Php, directly preventing the stored XSS vulnerability.
Filters information output during web page generation to block execution of injected scripts, comprehensively mitigating the improper neutralization leading to XSS.
Requires timely identification, reporting, and correction of the specific flaw in MagnusLog.Php via patching, eliminating the root cause of the CVE.