Executive Summary

This vulnerability is a weakness found in the BichitroGan ISP Billing Software version 2025.3.20, specifically in an unknown function within the file /?_route=pool/add of the Pool List Interface component.

The issue allows an attacker to perform cross-site scripting (XSS) attacks by manipulating this function. Such an attack can be executed remotely.

The exploit for this vulnerability has been made publicly available, increasing the risk of attacks.

The vendor was informed early about this vulnerability but did not respond.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to perform cross-site scripting (XSS) attacks remotely against the affected software.

Such attacks can lead to the execution of malicious scripts in the context of the victim's browser, potentially resulting in session hijacking, defacement, or redirection to malicious sites.

Because the exploit is publicly available, the risk of exploitation is higher.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) issue that allows execution of arbitrary JavaScript code, potentially leading to session hijacking, administrative account compromise, unauthorized actions, and full system takeover.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access to sensitive personal or health data, violate data protection principles, and fail to ensure adequate security controls.

Specifically, failure to properly validate and sanitize input, and to protect against XSS attacks, can result in breaches of confidentiality and integrity, which are critical requirements under these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject a simple JavaScript payload into the Pool Name field on the pool addition page and then checking if the payload executes when viewing the pool list.

• Use a web browser or a tool like curl or wget to send a POST request with a payload such as `<script>alert(1)</script>` to the URL `https://your-bichitrogan-instance/?_route=pool/add` in the Pool Name field.
• After submitting, visit the pool list page at `https://your-bichitrogan-instance/?_route=pool/list` and observe if the alert box or injected script executes.
• Example curl command to test injection (replace URL and parameters accordingly): curl -X POST -d "pool_name=<script>alert(1)</script>" https://your-bichitrogan-instance/?_route=pool/add

If the script executes when viewing the pool list, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all input to the Pool Name field to prevent injection of malicious scripts.

• Implement strict input validation to allow only safe characters in the Pool Name field.
• Escape output when rendering the Pool Name in the Pool List interface using functions like `htmlspecialchars($input, ENT_QUOTES, 'UTF-8')`.
• Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts.

Since the vendor has not responded, applying these mitigations in your environment or custom patches is critical to reduce risk.

Useful 0 Not Useful 0