Description
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = 'mod_redirect'`) for any unexpected or external target URLs.
Published: 2026-06-03
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FOSSBilling's Redirect module, prior to version 0.8.0, fails to validate the scheme of administrator‑configured URLs before storing them. Attackers with admin rights can set any external URL as a redirect target, resulting in a 301 redirect that silently forwards legitimate users to attacker‑controlled sites. This open redirect can be used for phishing by disguising malicious landing pages as trusted FOSSBilling URLs. The flaw is an instance of CWE‑601.

Affected Systems

The vulnerability affects the FOSSBilling product from the FOSSBilling vendor. Any deployment running a release earlier than 0.8.0 is vulnerable, as those versions lack the URL scheme validation in the Redirect module.

Risk and Exploitability

Exploitation requires administrator privileges to create or modify redirect entries, limiting the attack surface to multi‑admin environments or compromised admin accounts. The CVSS score of 4.8 indicates moderate severity, and lack of a KEV listing suggests the vulnerability is not currently known to be widely exploited. Because the redirect uses a 301 response, browsers cache the target, which can amplify the phishing impact. Attackers would need to gain admin access or use an existing compromised admin account to configure the harmful redirect.

Generated by OpenCVE AI on June 3, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FOSSBilling version 0.8.0 or later to enforce URL scheme validation.
  • Restrict access to the Redirect module so that only trusted administrators can create or edit redirect entries.
  • Audit the extension_meta table for any existing redirect entries that point to external URLs and remove or correct them.

Generated by OpenCVE AI on June 3, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = 'mod_redirect'`) for any unexpected or external target URLs.
Title FOSSBilling has an open redirect via administrator-configured redirect targets
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T19:56:25.836Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43924

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T20:16:21.133

Modified: 2026-06-03T20:16:21.133

Link: CVE-2026-43924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T21:30:32Z

Weaknesses