BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability

Title: BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2013-5163
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.12.2013
Summary
BoxBilling is a free billing, invoicing & client management software.
Description
BoxBilling suffers from a stored cross-site scripting vulnerability. Input passed to the 'message' POST parameter thru the 'Notification Center' extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
BoxBilling - http://www.boxbilling.com
Affected Version
3.6.11 (mod_notification 1.0.0)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a
Vendor Status
N/A
PoC
boxbilling_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/30083/
[2] http://cxsecurity.com/issue/WLB-2013120053
[3] http://packetstormsecurity.com/files/124327
[4] http://osvdb.org/show/osvdb/100746
[5] http://xforce.iss.net/xforce/xfdb/89509
Changelog
[06.12.2013] - Initial release
[07.12.2013] - Added reference [1]
[10.12.2013] - Added reference [2], [3] and [4]
[15.12.2013] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk