CVE-2026-6622
Received Received - Intake
Remote Cross-Site Scripting in BichitroGan Customer Handler

Publication date: 2026-04-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in BichitroGan ISP Billing Software 2025.3.20. This affects an unknown function of the file /?\_route=customers/edit/ of the component Customer Handler. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6622
EUVD
EUVD-2026-23813
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bichitrogan isp_billing_software 2025.3.20
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in BichitroGan ISP Billing Software version 2025.3.20, specifically in an unknown function within the file /?_route=customers/edit/ of the Customer Handler component.

The issue allows an attacker to perform cross-site scripting (XSS) attacks by manipulating this component.

The attack can be executed remotely, and an exploit is publicly available.

The vendor was contacted about this vulnerability but did not respond.

Impact Analysis

This vulnerability enables remote attackers to perform cross-site scripting (XSS) attacks.

Such attacks can lead to the execution of malicious scripts in the context of the affected application, potentially allowing attackers to steal session tokens, manipulate web content, or perform actions on behalf of legitimate users.

However, the CVSS scores indicate a relatively low severity, with limited impact on confidentiality and availability.

Compliance Impact

The vulnerability is a cross-site scripting (XSS) issue that allows attackers to inject malicious scripts into user profile fields, which can lead to session hijacking, credential theft, unauthorized actions, and privilege escalation.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to personal or sensitive data, violating data protection and privacy requirements.

Specifically, failure to properly sanitize user input and prevent XSS attacks can result in breaches of confidentiality and integrity of user data, which are critical aspects of these regulations.

Detection Guidance

This vulnerability can be detected by attempting to inject a simple cross-site scripting payload into the vulnerable input fields and observing if it executes when rendered.

  • Log in as a user or administrator to the BichitroGan ISP Billing Software.
  • Navigate to the customer edit page (e.g., /?_route=customers/edit/{id}).
  • Input a test script such as `<script>alert(1)</script>` into the "Full Name" and "Home Address" fields.
  • Save the changes.
  • Visit the customer list page (e.g., /?_route=customers/list) and check if the alert box appears, indicating script execution.

This manual test can be automated using web vulnerability scanners that support XSS detection or by using curl or similar tools to send crafted POST requests and inspecting the responses for unescaped script tags.

Mitigation Strategies

Immediate mitigation steps include sanitizing and escaping user inputs to prevent malicious scripts from being stored and executed.

  • Use PHP’s `htmlspecialchars()` function with `ENT_QUOTES` and UTF-8 encoding to properly escape user input before rendering it in HTML.
  • Implement strict input validation to reject or sanitize potentially dangerous input in the "Full Name" and "Home Address" fields.
  • Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser.
  • Avoid rendering raw user input directly in HTML pages.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart