FOSSBilling: Broken Authorization in Client Transaction and Order Listings
Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=0.7.2
Patches
Vulnerability mechanics
Root cause
"Missing parentheses around OR-based filter clauses in SQL query construction allows operator precedence to bypass the client_id tenant-scoping constraint."
Attack vector
An authenticated client sends crafted requests to the `client/invoice/transaction_get_list` endpoint (using the `search` parameter) or the `client/order/get_list` endpoint (using the `show_action_required` parameter) [ref_id=1]. Because the OR-based filters are appended without grouping, SQL operator precedence causes the OR clauses to be evaluated separately from the mandatory `client_id` WHERE condition, letting the query return records belonging to other clients [ref_id=1]. The attacker must be an authenticated client of the system but does not require any special administrative privileges.
Affected code
The flaw resides in `ServiceTransaction::getSearchQuery()` and `Order\Service::getSearchQuery()` in the backend files `src/modules/Invoice/ServiceTransaction.php` and `src/modules/Order/Service.php` [ref_id=1]. OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced `client_id` constraint [ref_id=1].
What the fix does
The patch (version 0.8.0) wraps the OR-based search/action filter clauses in explicit parentheses so that they are grouped together and evaluated as a single condition alongside the mandatory `client_id` constraint [ref_id=1]. This prevents SQL operator precedence from allowing the OR clauses to bypass the tenant-scoping WHERE clause. The advisory does not include a diff, but the fix ensures that all client-list queries respect the authenticated client's scope.
Preconditions
- authThe attacker must be an authenticated client of the FOSSBilling instance.
- inputThe attacker sends crafted requests to the affected client API endpoints with specific search or filter parameters.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0mitrex_refsource_MISC
- github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-xcrv-cccw-r65vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.