Security vulnerability in product bundling feature in fossbilling/fossbilling


Reported on

Jun 9th 2023


Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature. After an administrator cancels a bundle offer, users can still make unauthorized purchases through the system’s API, allowing them to purchase the product and addon together even when the offer has been removed by the administrator.

Proof of Concept


1 A user performs an API request to purchase a product with addon via the platform

2 The user use burpsuit hijack the request.

3 The administrator cancels the bundle offer through the admin panel.

4 The user sends the hijacked API request even after the offer has been cancelled, and successfully completes the purchase.


This vulnerability undermines the trustworthiness of the platform and can be exploited to facilitate fraudulent activity, potentially resulting in financial loss and compromising system integrity.

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
lujiefsi modified the report
3 months ago
Belle Aerni modified the Severity from High (8.8) to Medium (5.4) 3 months ago
fossbilling/fossbilling maintainer has acknowledged this report 3 months ago
3 months ago


The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago

Thanks for the report. This one is also fixed by a pull request I submitted for a separate vulnerability.

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.0 with commit b65a75 3 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jun 19th 2023
Belle Aerni published this vulnerability 3 months ago
to join this conversation