Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/* routes. This allows an attacker to probe the endpoint for valid reset tokens without any per-IP request limiting, attempt counting, or lockout mechanism. The endpoint acts as an oracle, returning a distinguishable response for valid versus invalid tokens (HTTP 200 vs HTTP 302 redirect). An attacker can submit unlimited token guesses to the password reset confirmation endpoint with no throttling applied. However, practical exploitability is significantly mitigated by the current token generation, which uses hash('sha256', random_bytes(32)), providing 256 bits of entropy. Tokens also expire after 15 minutes and are deleted after successful use. The same architectural gap applies to other controller-served auth routes, including /staff/email/:hash (admin password reset confirmation) and /client/confirm-email/:hash (email confirmation). Version 0.8.0 fixes the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the /client/reset-password-confirm/* and /staff/email/* paths and/or use a WAF rule to limit request rates to these endpoints.
AnalysisAI
Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at /staff/email/:hash - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to /api/* routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required (CVSS PR:N) - all three affected endpoints are publicly accessible without a session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 with vector AV:N/AC:H/AT:P/PR:N/UI:N accurately represents a nuanced risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker who knows or enumerates a valid target account email triggers a password reset, then immediately floods the `/client/reset-password-confirm/:hash` endpoint with sequentially or randomly guessed token values, observing HTTP 200 versus HTTP 302 responses to identify a valid token before its 15-minute expiry. No public exploit code has been identified. … |
| Remediation | The primary fix is upgrading to FOSSBilling 0.8.0 (released 2026-05-28), which extends the rate limit system to cover controller-served authentication routes (PR #3461) alongside broader security hardening; the release is available at https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fossbilling
View allServer-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb
Authorization bypass in FOSSBilling versions 0.5.4 through 0.7.x allows unauthenticated remote attackers to invoke privi
Cross-tenant data exposure in FOSSBilling 0.7.2 and earlier lets authenticated client users retrieve transaction and ord
Insecure direct object reference (IDOR) in FOSSBilling's Servicecustom Client API (versions 0.7.2 and prior) lets any au
Insecure Direct Object Reference in FOSSBilling's support ticket creation workflow allows authenticated clients on versi
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34255