CVE-2026-6622
Remote Cross-Site Scripting in BichitroGan Customer Handler
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bichitrogan | isp_billing_software | 2025.3.20 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in BichitroGan ISP Billing Software version 2025.3.20, specifically in an unknown function within the file /?_route=customers/edit/ of the Customer Handler component.
The issue allows an attacker to perform cross-site scripting (XSS) attacks by manipulating this component.
The attack can be executed remotely, and an exploit is publicly available.
The vendor was contacted about this vulnerability but did not respond.
How can this vulnerability impact me? :
This vulnerability enables remote attackers to perform cross-site scripting (XSS) attacks.
Such attacks can lead to the execution of malicious scripts in the context of the affected application, potentially allowing attackers to steal session tokens, manipulate web content, or perform actions on behalf of legitimate users.
However, the CVSS scores indicate a relatively low severity, with limited impact on confidentiality and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a cross-site scripting (XSS) issue that allows attackers to inject malicious scripts into user profile fields, which can lead to session hijacking, credential theft, unauthorized actions, and privilege escalation.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to personal or sensitive data, violating data protection and privacy requirements.
Specifically, failure to properly sanitize user input and prevent XSS attacks can result in breaches of confidentiality and integrity of user data, which are critical aspects of these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a simple cross-site scripting payload into the vulnerable input fields and observing if it executes when rendered.
- Log in as a user or administrator to the BichitroGan ISP Billing Software.
- Navigate to the customer edit page (e.g., /?_route=customers/edit/{id}).
- Input a test script such as `<script>alert(1)</script>` into the "Full Name" and "Home Address" fields.
- Save the changes.
- Visit the customer list page (e.g., /?_route=customers/list) and check if the alert box appears, indicating script execution.
This manual test can be automated using web vulnerability scanners that support XSS detection or by using curl or similar tools to send crafted POST requests and inspecting the responses for unescaped script tags.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and escaping user inputs to prevent malicious scripts from being stored and executed.
- Use PHPβs `htmlspecialchars()` function with `ENT_QUOTES` and UTF-8 encoding to properly escape user input before rendering it in HTML.
- Implement strict input validation to reject or sanitize potentially dangerous input in the "Full Name" and "Home Address" fields.
- Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser.
- Avoid rendering raw user input directly in HTML pages.