Description
A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The application contains a flaw that allows an attacker to inject arbitrary client‑side scripts via the "/?_route=settings/users-view/" endpoint. The input is reflected in the page without proper encoding, making it possible for an attacker to run malicious code in the browser when a user views the profile page. While the impact is limited to the victim’s browser, the injected code can steal session tokens, modify page content, or trigger phishing actions. The vulnerability is a classic reflected XSS that can be performed remotely by sending a crafted HTTP request to the exposed route. The attacker need only access the web interface and can target any user who visits the affected page. Because it is not a privilege‑escalation flaw, the risk is confined to the client side but can lead to credential theft and further attacks. The CVSS score of 4.8 reflects a low severity overall, yet the lack of a mitigated environment and the potential for exploitation could have significant operational impacts. No exploit probability data are published, and the vulnerability is not in the CISA KEV list, implying limited known exploitation at this time.

Affected Systems

The affected product is BichitroGan ISP Billing Software version 2025.3.20. The vulnerability resides in the Profile Page Handler component, specifically the "settings/users-view" route. Users of this version who access the affected page are at risk of client‑side compromise. No other vendors or versions are listed in the current data.

Risk and Exploitability

The CVSS score of 4.8 indicates a low severity, but the remote nature of the attack means an external party can trigger the injection by simply sending a crafted HTTP request. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread or confirmed exploitation at present. The risk is limited to the victim’s browser session; however, compromised sessions can lead to credential theft, unauthorized actions performed in the user’s context, and phishing. Since no privilege escalation is involved, the overall system integrity remains intact. Given the low score but potential for credential and session hijacking, the vulnerability should be addressed promptly.

Generated by OpenCVE AI on April 20, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of BichitroGan ISP Billing Software that addresses the reflected XSS in the Profile Page handler.
  • If an official patch is unavailable, sanitize all input parameters for the "/?_route=settings/users-view/" route and encode output before rendering to the browser.
  • Configure or enable a web application firewall to detect and block typical reflected XSS payloads on the affected endpoint.
  • Monitor page logs for anomalous script injection attempts and verify that no client‑side scripts are executing on profile pages.

Generated by OpenCVE AI on April 20, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title BichitroGan ISP Billing Software Profile users-view cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T09:00:20.118Z

Reserved: 2026-04-19T16:32:17.535Z

Link: CVE-2026-6623

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T10:16:17.403

Modified: 2026-04-20T10:16:17.403

Link: CVE-2026-6623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T11:00:05Z

Weaknesses