we still can order the product even it is disabled in fossbilling/fossbilling


Reported on

Jun 9th 2023


I am writing to report a potential security vulnerability that was uncovered in your platform. Specifically, we discovered that your product purchase functionality can still be accessed via API even after the product has been disabled and is no longer available for sale.

Proof of Concept

1 An admin creates a product.

2 A user orders the product and hijacks the request using Burp Suite.

3 The admin disables the product.

4 The user sends the request and receives a successful response, unaware that the admin has disabled the product.


This leaves the door open for attackers to potentially place orders for products that should not be available, leading to potential financial loss and reputational damage.

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
lujiefsi modified the report
3 months ago
Belle Aerni modified the Severity from High (8.8) to Medium (5.4) 3 months ago
We have contacted a member of the fossbilling team and are waiting to hear back 3 months ago
fossbilling/fossbilling maintainer has acknowledged this report 3 months ago
Belle Aerni
3 months ago


I've been able to replicate this issue and I've submitted a pull request to prevent it: https://github.com/FOSSBilling/FOSSBilling/pull/1308

Belle Aerni
3 months ago


@admin can you please update the status of this report as being valid?

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago

Sorry, I just realized that the "resolve as valid" button was the intended way for me to mark it as valid and that it doesn't actually close the report yet.

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.0 with commit 56a64f 3 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jun 19th 2023
Belle Aerni published this vulnerability 3 months ago
to join this conversation