CVE-2020-23518

MEDIUM

UltimateKode Neo Billing <3.5 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-23518. PoCs published by n1x_.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Neo Billing 3.5 by injecting malicious scripts into the 'Subject' or 'Description' fields of a ticket. The payload is stored and executed when viewed by other users.

Description

Cross Site Scripting (XSS) vulnerability in UltimateKode Neo Billing - Accounting, Invoicing And CRM Software up to version 3.5 which allows remote attackers to inject arbitrary web script or HTML.

Exploits (1)

exploitdb WORKING POC

by n1x_ · textwebappsphp

https://www.exploit-db.com/exploits/47289

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Neo Billing 3.5 by injecting malicious scripts into the 'Subject' or 'Description' fields of a ticket. The payload is stored and executed when viewed by other users.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Neo Billing 3.5

Auth required

Prerequisites: Valid user credentials for the Neo Billing application

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/47289

Scores

CVSS v3 5.4

EPSS 0.0200

EPSS Percentile 78.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

ultimatekode/neo_billing < 3.5

Published Mar 02, 2021

Tracked Since Feb 18, 2026