Cross-site Scripting (XSS) - Reflected in fossbilling/fossbilling

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in FOSSBilling versions prior to 0.5.4. The flaw resides in the error handling mechanism: the exceptionHandler function and the ErrorPage::generatePage method directly output exception messages without HTML escaping. When an exception occurs, the message is included in the error page as raw HTML, allowing an attacker to inject malicious scripts. The vulnerable code paths are in library/FOSSBilling/ErrorPage.php and the global exception handler. The fix was introduced in commit [1].

Exploitation

An attacker can trigger an exception with a crafted message containing JavaScript payloads. This can be achieved by sending a request that causes an exception (e.g., invalid input) where the error message is reflected back to the user. No authentication is required if the error page is publicly accessible. The attacker would need to convince a victim to visit a specially crafted URL that triggers the exception, or the error could be triggered automatically if the attacker can control input that leads to an exception. The attack does not require any special privileges or user interaction beyond visiting the malicious URL.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement of the application, theft of sensitive information (e.g., cookies, tokens), or other actions that the victim's browser can perform on the affected domain. The impact is limited to the scope of the victim's session and the application's functionality.

Mitigation

The vulnerability is fixed in FOSSBilling version 0.5.4. Users should upgrade to this version or later. The fix, as shown in commit [1], applies htmlspecialchars() to the exception message before output, preventing HTML injection. No workarounds are documented; upgrading is the recommended action.