Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-facing API with a low-privilege client account (PR:L), no user interaction, trivial complexity; impact is read-only PII disclosure so C:H with I:N/A:N and unchanged scope.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's __call method accepts an order_id parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data through IDOR. An authenticated client can access any other client's custom service by guessing sequential order IDs. This can lead to a confidentiality breach - attackers can read client PII (name, email, phone, address, company details, VAT number) and service configuration data belonging to other clients. This issue has been fixed in version 0.8.0.
AnalysisAI
Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any authenticated client retrieve another client's custom service records by supplying a guessed sequential order_id, because the __call method fetches the order without an ownership check. The exposed data includes other clients' PII (name, email, phone, address, company details, VAT number) and service configuration, making this a cross-tenant confidentiality breach. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated FOSSBilling client account (CVSS PR:L) and an instance that exposes the Servicecustom Client API; the attacker calls its __call method with an attacker-chosen order_id that they do not own. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, score 7.1) accurately reflects a network-reachable, low-complexity flaw requiring only a low-privilege authenticated client account, with high confidentiality impact and no integrity or availability impact - consistent with read-only PII disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds a low-privilege client account on a FOSSBilling instance, then repeatedly calls the Servicecustom Client API while incrementing the order_id parameter through sequential values. For each ID belonging to another client, the API returns that client's custom service configuration and personal data, allowing bulk harvesting of PII across the entire customer base. … |
| Remediation | Vendor-released patch: 0.8.0 - upgrade FOSSBilling to 0.8.0 or later (https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0), reviewing the advisory at https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-p36w-9x66-488j first. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all FOSSBilling deployments and confirm whether any run version 0.7.2 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fossbilling
View allServer-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb
Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privi
Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and ord
Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the el
Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39052