HostBill – XSS Admin Hijack Security Vulnerability (R911-0099)

Type: XSS
Location: Remote
Impact: High
Product: HostBill
Vulnerable Version: 2013-12-11
Fixed Version: 2013-12-14
CVE: -
R911: 0099
Date: 2013-12-14
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

There is an XSS vulnerability present within HostBill that would allow a malicious user to obtain the admin session cookie which could then be used to hijack access to the panel.


We have deemed this vulnerability to be rated as HIGH due to the fact that the admin account(s) can be hijacked.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-11.

Fixed Version:

This vulnerability was patched in HostBill v2013-12-14.

Vendor Contact Timeline:

2013-12-13: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-14: Vendor issues v2013-12-14 update.
2013-12-14: Rack911 issues security advisory.