Impact
FOSSBilling, an open‑source billing system, contains a missing authorization check in the guest invoice/update API. The flaw lets an unauthenticated user who possesses an invoice hash alter the gateway_id field of any unpaid invoice. The user cannot redirect funds to an arbitrary external URL because the gateway must already be installed by an administrator, but the attacker can switch the invoice to a different configured gateway, potentially diverting payment processing or enabling a pre‑approved gateway to process the invoice without consent.
Affected Systems
All versions of FOSSBilling prior to 0.8.0 are affected by this vulnerability. The problematic endpoint is the Guest API invoice/update route that responds to requests containing an invoice hash. Administrators should verify which released versions remain in use. The vendor’s release notes state that 0.8.0 includes the missing authorization check and fixes the issue.
Risk and Exploitability
The CVSS score of 7.7 indicates high severity. Although no EPSS value is published, the exploit requires only an invoice hash, which can leak through shared URLs, referrer headers, or email links. The likely attack vector is an HTTP API call to the guest endpoint, inferred from the description. The vulnerability is not listed in the CISA KEV catalog. While the lack of an external redirection capability limits the damage, the ability to alter payment gateways can still result in financial loss or billing errors. Consequently, the risk remains significant, especially in environments that enable the invoice_accessible_from_hash setting or grant broad permissions for gateway configuration.
OpenCVE Enrichment