HostBill – Admin Chat Generate Code CSRF & XSS Vulnerability (R911-0133)

Type: XSS
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2014-03-10
Fixed Version: 2014-03-12
CVE: -
R911: 0133
Date: 2014-03-13
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

Due to both a CSRF and XSS vulnerability present within the Chat Generate Code configuration page, it is possible for a malicious user to perform an attack against staff accounts with minimal effort.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that staff account(s) can potentially be interfered with.

Vulnerable Version:

This vulnerability was tested against HostBill 2014-03-10.

Fixed Version:

This vulnerability was patched in HostBill 2014-03-12.

Vendor Contact Timeline:

2014-03-12: Vendor contacted via email.
2014-03-12: Vendor confirms vulnerability.
2014-03-12: Vendor issues 2014-03-12 update.
2014-03-13 Rack911 issues security advisory.