Security Advisory for AhsayCBS - Reflected XSS (November/2025)

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the web interface of AhsayCBS versions v10.1.4 and earlier. This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user's browser.

The vulnerability allows an unauthenticated attacker to craft a specific link which, if visited by a user, could execute arbitrary JavaScript within the user's browser. Successful exploitation could allow an attacker to perform actions within the user’s authenticated session or facilitate credential phishing.

Affected Products:

• AhsayCBS v10.1.4.0
• AhsayCBS v10.1.2.0
• AhsayCBS v10.1.0.0
• AhsayCBS v9

Vulnerability Details:

The vulnerability exists due to insufficient validation of user-supplied input on the web interface.

• Attack Vector: An attacker can craft a malicious link containing a specific payload.
• User Interaction: Successful exploitation requires a victim to click on this crafted link.
• Impact: If a user visits the malicious link, the attacker may be able to execute scripts to perform actions on the user's behalf, accessing session data, or redirecting the user to a phishing site.
• Authentication: The attacker does not need to be authenticated to exploit this vulnerability.

Solution:

Ahsay has released Hotfix v10.1.4.14 to eliminate this vulnerability.

Pre-requisite: The hotfix is based on AhsayCBS v10.1.4.0. You must upgrade to this version before applying the hotfix.

Download AhsayCBS Hotfix v10.1.4.14 for Windows

Download AhsayCBS Hotfix v10.1.4.14 for *nix