BoxBilling suffers from a stored cross site scripting vulnerability. Input passed to the 'message' POST parameter thru the 'Notification Center' extension/module is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Version 3.6.11 is affected.
79655606b0994b8eb520f94b90ad44a33cf34d99fec9a3b40c90c49f32d15daf