CVE-2026-6623
Remote Cross-Site Scripting in BichitroGan Profile Page Handler
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bichitrogan | isp_billing_software | 2025.3.20 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in BichitroGan ISP Billing Software version 2025.3.20. It affects an unknown function within the file located at /?_route=settings/users-view/ in the Profile Page Handler component. The flaw allows an attacker to perform a cross-site scripting (XSS) attack by manipulating this function remotely.
How can this vulnerability impact me? :
The vulnerability enables a remote attacker to execute cross-site scripting attacks, which can lead to the injection of malicious scripts into the affected web application. This can result in limited integrity impact, such as unauthorized script execution in the context of a user's browser, potentially leading to session hijacking or other malicious actions. However, there is no direct impact on confidentiality or availability according to the CVSS scores.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Stored Cross-Site Scripting (XSS) flaw that allows attackers to inject malicious scripts into user profile fields, which can lead to session hijacking, credential theft, unauthorized actions, and potential privilege escalation.
Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA because they threaten the confidentiality and integrity of user data and system operations.
Specifically, the risk of credential theft and unauthorized access could lead to unauthorized disclosure or alteration of personal or sensitive data, which is a violation of data protection requirements under these regulations.
Therefore, failure to remediate this vulnerability may result in non-compliance with these standards due to inadequate protection of personal and sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a script payload into the "fullname" field of a user profile and then observing if the script executes when viewing the profile or admin user view pages.
A practical detection method involves logging in as a normal user, setting the "fullname" field to a test script such as <script>alert(1)</script>, saving the changes, and then visiting the affected endpoints like /accounts/profile or /?_route=settings/users-view/{id} to check if the alert executes.
No specific network commands are provided, but manual testing through the web interface or automated scanning tools that test for stored cross-site scripting (XSS) vulnerabilities targeting the "fullname" parameter on these endpoints can be used.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper output encoding and input validation to prevent malicious scripts from being stored and executed.
- Escape output using PHPβs htmlspecialchars() function with ENT_QUOTES and UTF-8 encoding on all user-supplied data before rendering it in the application.
- Validate input to restrict special characters in the "fullname" field to prevent injection of malicious scripts.
- Consistently apply output encoding across all templates where user data is displayed.
These steps help prevent stored XSS attacks by ensuring that injected scripts are not executed in users' browsers.