CVE-2026-43924
Description
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the extension_meta table with extension = 'mod_redirect') for any unexpected or external target URLs.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <0.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects."
Attack vector
An attacker with administrator privileges must create or modify redirect entries within the FOSSBilling Redirect module. The attacker configures an arbitrary external URL as the destination for a redirect. When a user follows a legitimate FOSSBilling URL that is configured to redirect, they are silently sent to the attacker-controlled external site via a 301 (Moved Permanently) response, which browsers may cache persistently [ref_id=1].
Affected code
The vulnerability exists in the Redirect module. Specifically, when a redirect entry is created via the admin API (Api/Admin.php), the target URL is only sanitized with htmlspecialchars() and trim() before being stored in the database (Service.php). No validation of the URL scheme or target origin is performed during saving (create() / update()) or when the redirect is issued (Controller/Client.php) [ref_id=1].
What the fix does
Version 0.8.0 addresses the vulnerability by implementing validation of the URL scheme for administrator-configured destination URLs before they are stored or used for redirects. This prevents arbitrary external URLs from being set as redirect targets, thereby mitigating the open redirect vulnerability. The advisory does not provide specific code changes but indicates that the issue is resolved in this version [ref_id=1].
Preconditions
- authRequires administrator privileges to create or modify redirect entries [ref_id=1].
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.