CVE-2025-64030 identifies a stored cross-site scripting vulnerability in Eximbills Enterprise version 4.1.5, released in October 2020. The vulnerability exists in the /EximBillWeb/servlets/WSTrxManager endpoint, where the TMPL_INFO parameter accepts user input that is not properly sanitized before being stored on the server. This stored input is subsequently rendered in the web interface viewed by other authenticated users, enabling the injection and execution of arbitrary JavaScript code in their browsers. Because the malicious script runs in the context of the victim's session, attackers can steal session cookies, perform actions on behalf of the victim, or manipulate the web application’s interface. Exploitation requires the attacker to be authenticated to the application, which limits exposure to internal or trusted users but does not require additional user interaction beyond accessing the affected page. No public exploits have been reported yet, and no official patch or CVSS score is currently available. The vulnerability falls under CWE-79 (Cross-site Scripting), a common web application security issue that can lead to significant compromise of user accounts and data integrity. The lack of input validation and output encoding in the TMPL_INFO parameter is the root cause, indicating a need for secure coding practices in handling user-supplied data. Given the nature of Eximbills as billing and financial management software, exploitation could lead to unauthorized financial data access or manipulation.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of sensitive financial and billing data managed through Eximbills Enterprise. Successful exploitation could allow attackers to hijack user sessions, steal credentials, or perform unauthorized transactions, potentially leading to financial loss, reputational damage, and regulatory non-compliance under GDPR. Since the vulnerability requires authentication, it is more likely to be exploited by insiders or attackers who have compromised legitimate credentials. Organizations with multiple users accessing the vulnerable endpoint are at higher risk, as the stored XSS payload can affect multiple victims. The impact on availability is limited but could arise indirectly if attackers manipulate the application or cause denial of service through malicious scripts. The absence of known exploits suggests a window for proactive mitigation before widespread attacks occur. However, the financial and operational importance of Eximbills in affected organizations elevates the threat level. European financial institutions, billing departments, and service providers using this software should prioritize remediation to prevent lateral movement and data breaches.

1. Implement strict input validation and sanitization on the TMPL_INFO parameter to ensure that no executable scripts or malicious HTML can be stored. 2. Apply proper output encoding/escaping when rendering user-supplied data in the web interface to prevent script execution. 3. Restrict access to the /EximBillWeb/servlets/WSTrxManager endpoint to only trusted and necessary users, employing the principle of least privilege. 4. Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts or unauthorized access. 5. Educate users about the risks of stored XSS and encourage cautious behavior when interacting with internal web applications. 6. Engage with the vendor or software maintainers to obtain and apply security patches or updates addressing this vulnerability as soon as they become available. 7. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this endpoint. 8. Conduct regular security assessments and code reviews focusing on input handling and output rendering in Eximbills Enterprise.