Insufficient Granularity of Access Control in fossbilling/fossbilling

Vulnerability

In FOSSBilling versions prior to 0.5.0, the add_item method in the cart service lacked validation to ensure that only addons associated with a product could be added to the cart. As reported in [2], the code did not check whether the product was an addon itself or whether the selected addons were valid for the product. This allowed users to add any addon to any product, including addon products that should not be added separately. The commit [1] introduces checks: it throws an exception if the product is an addon, and validates that each selected addon is in the product's valid addons list.

Exploitation

An attacker with the ability to add items to the cart (e.g., any authenticated user or even unauthenticated if the cart is accessible) could craft a request to the add_item endpoint with arbitrary addon IDs. By manipulating the addons parameter, the attacker could select addons that are not intended for the product being added. No special privileges are required beyond normal cart access.

Impact

Successful exploitation allows an attacker to add unauthorized addons to a product in the cart, potentially gaining access to features or services that should not be available with that product. This could lead to privilege escalation or unauthorized access to paid features, depending on the billing and provisioning logic. The vulnerability is classified as insufficient granularity of access control, leading to potential information disclosure or financial loss.

Mitigation

The fix was implemented in commit [1] and is included in FOSSBilling version 0.5.0, released on 2023-06-14. Users should upgrade to version 0.5.0 or later. No workarounds are documented. The vulnerability is not listed on CISA's KEV as of the publication date.