Impact
FOSSBilling’s API role validation flaw, present from version 0.5.4 up to, but not including, 0.8.0, allows unauthenticated requests to reach the privileged /api/system/* endpoints. The system role maps to a cron‑level admin identity, so any caller can invoke administrative API methods without providing credentials, session cookies, or a CSRF token. This missing authentication (CWE‑306) and missing authorization (CWE‑862/863) weaknesses give attackers full control over the billing system, enabling changes to configuration, creation or deletion of client accounts, and potential data exfiltration. The flaw also permits exposure of sensitive configuration data via the API, relevant to CWE‑200.
Affected Systems
The vulnerability affects the open‑source billing and client management platform FOSSBilling in all releases starting at 0.5.4 and prior to 0.8.0. The affected product is referred to as FOSSBilling. Version 0.8.0 contains the patch that resolves the role validation issue.
Risk and Exploitability
The CVSS score of 10 classifies the flaw as critical, and the EPSS score is unavailable, indicating no published data on exploitation prevalence. The flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through unauthenticated HTTP requests to the exposed /api/system/* endpoints; an attacker requires only open network connectivity to the target’s API interface. No credentials, session, or CSRF proof are necessary to exploit this authorization bypass.
OpenCVE Enrichment