What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Subscriptions Zoho Billing – Embed Payment Form allows Stored XSS. This issue affects Zoho Billing – Embed Payment Form: from n/a through 4.0.
Explanation of Vulnerability in Simple Terms
02Summary
The Zoho Billing Embed Payment Form contains a cross-site scripting (XSS) vulnerability that allows an attacker to inject malicious scripts into the payment form. An authenticated user must visit a crafted link for the attack to succeed. The injected script can steal session data, modify form content, or perform actions on behalf of the victim. This affects all versions up to 4.0.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript into the payment form to steal user data or perform unauthorized actions.
Potential impact on your site
04Site Impact
Customer payment data and session tokens could be compromised if users interact with crafted payment form links.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege account and must trick a user into clicking a malicious link.
Key dates
06Disclosure timeline
March 27, 2025
CVE published
May 10, 2025
Record updated