Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible IDOR by authenticated client (PR:L), staff action required (UI:R), cross-client order impact constitutes scope change (S:C); minimal confidentiality from order ID exposure, limited integrity via staff deception.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when rel_type=order, an authenticated client can create a support ticket that references another client's order they do not own. The ticketCreateForClient() method accepted rel_id without verifying order ownership for non-upgrade tasks, allowing clients to link a new ticket to another client's order by crafting the request. No cron task automatically processes cancel/upgrade requests from ticket relations; staff action is required. This affects integrity and confidentiality: staff could be misled into acting on the wrong order (e.g., cancellation or upgrade requests). While there is no client-to-client order data exposure, order IDs may appear in ticket context. This issue has been fixed in version 0.8.0.
AnalysisAI
Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versions 0.6.21 through 0.7.2 to link tickets to orders owned by other clients by manipulating the rel_id parameter. The ticketCreateForClient() method omits ownership verification for non-upgrade ticket relations, enabling cross-client order association. While no automated harm occurs, staff can be deceived into acting on the wrong client's order - such as processing unauthorised cancellation or upgrade requests - with minimal order ID disclosure as a secondary confidentiality concern. No public exploit is identified at time of analysis; the issue is patched in version 0.8.0.
Technical ContextAI
FOSSBilling is a PHP-based open-source billing and client management platform (CPE: cpe:2.3:a:fossbilling:fossbilling). The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key), a subclass of broken access control where a user-supplied identifier - here, rel_id - is accepted without verifying that the requesting user is authorised to reference that resource. Specifically, the ticketCreateForClient() API method permits the caller to set rel_type=order and supply any order ID as rel_id; the server binds the new ticket to that order without asserting that the authenticated client owns it. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P) confirms this is a straightforward network-reachable IDOR requiring only a standard client session, with passive staff interaction needed to realise impact.
RemediationAI
Upgrade to FOSSBilling 0.8.0, released 2026-05-28, which resolves this vulnerability along with several other security issues including critical- and high-severity findings. The release is available at https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0. Operators must note that 0.8.0 carries breaking changes: PHP 8.3 or newer is now required, guest API routes have been refactored, custom modules and themes may need updates, and the frontend build system has changed - a full review of release notes and a pre-upgrade backup are strongly recommended. If immediate upgrade is not feasible, a targeted compensating control is to add a server-side ownership assertion in ticketCreateForClient() verifying that the authenticated client's account ID matches the account owning the order referenced by rel_id before proceeding. As an operational measure, staff should be trained to independently verify order ownership before acting on ticket-linked cancel or upgrade requests, reducing the social-engineering risk without requiring a code change.
More in Fossbilling
View allServer-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb
Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privi
Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and ord
Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any au
Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the el
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210325