← Advisories

BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability

Medium

Advisory ID

ZSL-2013-5163

Release Date

06 December 2013

Vendor

BoxBilling - http://www.boxbilling.com

Affected Version

3.6.11 (mod_notification 1.0.0)

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a

Summary

BoxBilling is a free billing, invoicing & client management software.

Description

BoxBilling suffers from a stored cross-site scripting vulnerability. Input passed to the 'message' POST parameter thru the 'Notification Center' extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

boxbilling_xss.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.exploit-db.com/exploits/30083/

[2]http://cxsecurity.com/issue/WLB-2013120053

[3]http://packetstormsecurity.com/files/124327

[4]http://osvdb.org/show/osvdb/100746

[5]http://xforce.iss.net/xforce/xfdb/89509

Changelog

06.12.2013Initial release

07.12.2013Added reference [1]

10.12.2013Added reference [2], [3] and [4]

15.12.2013Added reference [5]