Insufficient Session Expiration in fossbilling/fossbilling

Vulnerability

An insufficient session expiration vulnerability exists in FOSSBilling prior to version 0.5.5. When a user changes their password, the application does not invalidate the user's existing active sessions. This means that previously issued session tokens remain valid even after the password has been changed. The affected functionality includes both client and admin password changes. The fix, introduced in commit [1], adds explicit calls to invalidate sessions after password changes. The vulnerability affects all versions before 0.5.5.

Exploitation

An attacker who has already obtained or intercepted a valid session token (e.g., via session theft, XSS, or a compromised device) can continue to use that session token after the legitimate user changes their password. No additional authentication or user interaction is required; the existing session remains active indefinitely. The attacker does not need to know the new password. The exploitation scenario relies on the attacker having access to the session token before the password change.

Impact

Successful exploitation allows an attacker to maintain unauthorized access to the affected user's account despite the password change. This exposes the user's data and functionality to ongoing compromise. The impact is primarily on confidentiality and integrity, as the attacker can continue to view and modify account details, billing information, and other sensitive data. The privilege level achieved is that of the compromised user (client or staff).

Mitigation

The vulnerability is fixed in FOSSBilling version 0.5.5, released July 31, 2023 [1]. Users must upgrade to version 0.5.5 or later. No workaround is available for earlier versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.