Search
Search Results (19 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64105 | 1 Fossbilling | 1 Fossbilling | 2026-06-23 | N/A |
| FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when rel_type=order, an authenticated client can create a support ticket that references another client's order they do not own. The ticketCreateForClient() method accepted rel_id without verifying order ownership for non-upgrade tasks, allowing clients to link a new ticket to another client's order by crafting the request. No cron task automatically processes cancel/upgrade requests from ticket relations; staff action is required. This affects integrity and confidentiality: staff could be misled into acting on the wrong order (e.g., cancellation or upgrade requests). While there is no client-to-client order data exposure, order IDs may appear in ticket context. This issue has been fixed in version 0.8.0. | ||||
| CVE-2026-23513 | 1 Fossbilling | 1 Fossbilling | 2026-06-23 | N/A |
| FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0. | ||||
| CVE-2026-28496 | 1 Fossbilling | 1 Fossbilling | 2026-06-23 | N/A |
| FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection (SSTI) vulnerability in the template rendering system. Administrators with access to features that render Twig templates (email templates, mass mail campaigns, custom payment adapters, and the `string_render` API endpoint) can inject arbitrary Twig expressions, leading to information disclosure and remote code execution. The vulnerability exists because Twig templates are rendered without a sandbox, allowing access to the full Twig environment, API context, and the application's dependency injection container. Version 0.8.0 patches the issue. Some workarounds are available. Audit existing email templates for suspicious Twig expressions, rotate all admin and client API tokens, and/or block external access to /api/system/* at reverse proxy/WAF to mitigate chaining with GHSA-78x5-c8gw-8279. | ||||
| CVE-2026-27604 | 1 Fossbilling | 1 Fossbilling | 2026-06-23 | N/A |
| FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version 0.8.0, an authorization bypass in the API role handling allows unauthenticated access to privileged `/api/system/*` endpoints. Because `system` resolves to the cron admin identity, attackers can invoke admin API methods without valid credentials, session, or CSRF token. Version 0.8.0 patches the issue. Some workarounds are available. Block external access to `/api/system/*` at reverse proxy/WAF, restrict API access by trusted source IPs only (`api.allowed_ips`), rotate all admin/client API tokens immediately, invalidate active sessions and reset high-privilege credentials, and/or review API request logs for suspicious `/api/system/` access and treat as potential incident. | ||||
| CVE-2026-43926 | 1 Fossbilling | 1 Fossbilling | 2026-06-04 | N/A |
| FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to `/api/*` routes. This allows an attacker to probe the endpoint for valid reset tokens without any per-IP request limiting, attempt counting, or lockout mechanism. The endpoint acts as an oracle, returning a distinguishable response for valid versus invalid tokens (HTTP 200 vs HTTP 302 redirect). An attacker can submit unlimited token guesses to the password reset confirmation endpoint with no throttling applied. However, practical exploitability is significantly mitigated by the current token generation, which uses `hash('sha256', random_bytes(32))`, providing 256 bits of entropy. Tokens also expire after 15 minutes and are deleted after successful use. The same architectural gap applies to other controller-served auth routes, including `/staff/email/:hash` (admin password reset confirmation) and `/client/confirm-email/:hash` (email confirmation). Version 0.8.0 fixes the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the `/client/reset-password-confirm/*` and `/staff/email/*` paths and/or use a WAF rule to limit request rates to these endpoints. | ||||
| CVE-2026-40495 | 1 Fossbilling | 1 Fossbilling | 2026-06-04 | N/A |
| FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the `hide_version_public` security setting. The FOSSBilling version is embedded in the query string of every `<script>` and `<link>` tag generated by the `script_tag` and `stylesheet_tag` Twig filters. This information is visible to all visitors — including unauthenticated guests — on every page, regardless of whether the `hide_version_public` setting is enabled. The `X-FOSSBilling-Version` HTTP header and the `guest.system.version` API endpoint correctly honour the `hide_version_public` setting, but the asset cache buster parameters were overlooked. Knowledge of the exact FOSSBilling version makes it significantly easier for malicious actors to identify known vulnerabilities applicable to a given installation and craft targeted exploits. While not a direct vulnerability on its own, it undermines the intended protection offered by the `hide_version_public` setting and facilitates reconnaissance. Version 0.8.0 contains a patch. There is no practical workaround that removes the version from asset URLs without modifying source code. | ||||
| CVE-2026-43924 | 1 Fossbilling | 1 Fossbilling | 2026-06-04 | N/A |
| FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = 'mod_redirect'`) for any unexpected or external target URLs. | ||||
| CVE-2023-3227 | 1 Fossbilling | 1 Fossbilling | 2025-01-02 | 5.7 Medium |
| Insufficient Granularity of Access Control in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||||
| CVE-2023-3228 | 1 Fossbilling | 1 Fossbilling | 2025-01-02 | 5.7 Medium |
| Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||||
| CVE-2023-3229 | 1 Fossbilling | 1 Fossbilling | 2025-01-02 | 6.5 Medium |
| Business Logic Errors in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||||
| CVE-2023-3230 | 1 Fossbilling | 1 Fossbilling | 2025-01-02 | 7.5 High |
| Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||||
| CVE-2023-4005 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. | ||||
| CVE-2023-3568 | 2 Alextselegidis, Fossbilling | 2 Easyappointments, Fossbilling | 2024-11-21 | 6.3 Medium |
| Open Redirect in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||||
| CVE-2023-3521 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository fossbilling/fossbilling prior to 0.5.4. | ||||
| CVE-2023-3493 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 8.0 High |
| Improper Neutralization of Formula Elements in a CSV File in GitHub repository fossbilling/fossbilling prior to 0.5.3. | ||||
| CVE-2023-3491 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 8.8 High |
| Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3. | ||||
| CVE-2023-3490 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 9.8 Critical |
| SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3. | ||||
| CVE-2023-3394 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 5.4 Medium |
| Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1. | ||||
| CVE-2023-3393 | 1 Fossbilling | 1 Fossbilling | 2024-11-21 | 7.2 High |
| Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. | ||||
Page 1 of 1.