Missing Authorization in fossbilling/fossbilling

Vulnerability

A missing authorization vulnerability exists in the Servicedownloadable module of FOSSBilling prior to version 0.5.0. The upload() method lacked proper parameter validation before the patch, and the send_file() method did not check the order status, allowing access even for inactive orders. The fix adds checkRequiredParamsForArray validation and a check that the order status is 'active' before serving files [1][2].

Exploitation

An attacker can exploit this by sending a crafted request to the vulnerable upload or send_file endpoints without requiring any prior authentication or valid subscription. No special network position or race condition is needed; simply targeting the affected module's API endpoints enables exploitation [1][2].

Impact

Successful exploitation allows an attacker to upload arbitrary files and download files intended only for active orders, leading to unauthorized information disclosure and potential file upload abuse. This can compromise the confidentiality and integrity of data managed by FOSSBilling [1][2].

Mitigation

The vulnerability is fixed in FOSSBilling version 0.5.0. Users should upgrade to this version or later. No workarounds are documented, and the CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication [1][2].