CVE-2025-64030
📋 TL;DR
Eximbills Enterprise 4.1.5 is vulnerable to authenticated stored cross-site scripting (XSS) where malicious JavaScript can be injected via the TMPL_INFO parameter and executed in other users' browsers. This affects organizations using Eximbills Enterprise 4.1.5 (built October 30, 2020) with authenticated users. Attackers can steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- Eximbills Enterprise
📦 What is this software?
Eximbills Enterprise by Chinasystems
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, gain full system access, pivot to internal systems, and compromise the entire Eximbills environment and connected systems.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access sensitive billing data, modify transactions, or redirect users to phishing sites.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute JavaScript, limiting impact to data corruption at most.
🎯 Exploit Status
Public proof-of-concept exists in Medium article. Exploitation requires authenticated access but is trivial once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://chinasystems.com/whatwedo/ee
Restart Required: No
Instructions:
1. Contact China Systems for patch availability. 2. If patch exists, download from vendor portal. 3. Apply patch following vendor instructions. 4. Test functionality after patching.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize TMPL_INFO parameter by removing or encoding HTML/JavaScript special characters.
Implement input validation in WSTrxManager servlet to sanitize TMPL_INFO parameter
Output Encoding
allApply proper output encoding when rendering user-controlled data to prevent JavaScript execution.
Encode TMPL_INFO data using HTML entity encoding before rendering in responses
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in TMPL_INFO parameter
- Restrict access to /EximBillWeb/servlets/WSTrxManager endpoint to only necessary users
🔍 How to Verify
Check if Vulnerable:
Test by submitting <script>alert('XSS')</script> in TMPL_INFO parameter to /EximBillWeb/servlets/WSTrxManager endpoint and checking if script executes when viewed by other users.Check Version:
Check application version in admin interface or build date in application metadataVerify Fix Applied:
After remediation, test with same XSS payload - JavaScript should not execute and payload should be displayed as plain text or removed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /EximBillWeb/servlets/WSTrxManager with script tags in parameters
- Multiple failed login attempts followed by successful authentication and XSS payload submission
Network Indicators:
- HTTP requests containing <script> tags in TMPL_INFO parameter
- Unusual outbound connections from Eximbills server after XSS execution
SIEM Query:
source="eximbills" AND (uri_path="/EximBillWeb/servlets/WSTrxManager" AND (param="TMPL_INFO" AND value CONTAINS "<script>"))