Skip to main content

FOSSBilling CVE-2025-64105

| EUVDEUVD-2025-210325 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-23 GitHub_M
5.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible IDOR by authenticated client (PR:L), staff action required (UI:R), cross-client order impact constitutes scope change (S:C); minimal confidentiality from order ID exposure, limited integrity via staff deception.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 20:54 vuln.today
Analysis Generated
Jun 23, 2026 - 20:54 vuln.today

DescriptionCVE.org

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when rel_type=order, an authenticated client can create a support ticket that references another client's order they do not own. The ticketCreateForClient() method accepted rel_id without verifying order ownership for non-upgrade tasks, allowing clients to link a new ticket to another client's order by crafting the request. No cron task automatically processes cancel/upgrade requests from ticket relations; staff action is required. This affects integrity and confidentiality: staff could be misled into acting on the wrong order (e.g., cancellation or upgrade requests). While there is no client-to-client order data exposure, order IDs may appear in ticket context. This issue has been fixed in version 0.8.0.

AnalysisAI

Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.

Technical ContextAI

FOSSBilling is a PHP-based open-source billing and client management platform (CPE: cpe:2.3:a:fossbilling:fossbilling). The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key), a subclass of broken access control where a user-supplied identifier - here, rel_id - is accepted without verifying that the requesting user is authorised to reference that resource. Specifically, the ticketCreateForClient() API method permits the caller to set rel_type=order and supply any order ID as rel_id; the server binds the new ticket to that order without asserting that the authenticated client owns it. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P) confirms this is a straightforward network-reachable IDOR requiring only a standard client session, with passive staff interaction needed to realise impact.

RemediationAI

Upgrade to FOSSBilling 0.8.0, released 2026-05-28, which resolves this vulnerability along with several other security issues including critical- and high-severity findings. The release is available at https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0. Operators must note that 0.8.0 carries breaking changes: PHP 8.3 or newer is now required, guest API routes have been refactored, custom modules and themes may need updates, and the frontend build system has changed - a full review of release notes and a pre-upgrade backup are strongly recommended. If immediate upgrade is not feasible, a targeted compensating control is to add a server-side ownership assertion in ticketCreateForClient() verifying that the authenticated client's account ID matches the account owning the order referenced by rel_id before proceeding. As an operational measure, staff should be trained to independently verify order ownership before acting on ticket-linked cancel or upgrade requests, reducing the social-engineering risk without requiring a code change.

Share

CVE-2025-64105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy