Privilege Escalation Vulnerability in Product Upgrade Module in fossbilling/fossbilling


Reported on

Jun 9th 2023


Our product upgrade module contained a privilege escalation vulnerability that would allow an unauthorized user to upgrade to a product they were not authorized to.

After an administrator had Product 1 can upgrde as Product2 , but not Product3, a user could use Burpsuite to intercept the request and change the Product 2 ID to another product ID (Product 3), resulting in an unauthorized product upgrade.

Proof of Concept

1 An administrator configure that Product 1 can upgrade as Product2, but not Product2 .

2 The user upgrades Product 1 as Product2 and intercepts the request using Burpsuite.

POST /index.php?_url=/api/client/support/ticket_create HTTP/1.1
Host: ocalhostContent-Length: 204sec-ch-ua:“(Not(A:Brand";v="8",“Chromium";v="98"Accept: application/json,text/javascript,*/*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-with: XMLHttpRequest
sec-ch-ua-mobile: ?0
CSRFToken=182e0a69002c8a873b9f5dbdd677e966&subject=I+would+like+to+upgrade+product1&support helpdesk id=1rel new_value=1 content-I+would+like+to+upgrade+product1&rel_type=order&rel id=19&rel task=upgrade

3 The user modifies the Product 2 ID to Product 3 ID in the intercepted request, and the upgrade is successful.


This vulnerability could potentially enable an attacker to gain access to products that they are not supposed to have access to, leading to data leakage, financial losses, and other harmful consequences.

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
Belle Aerni modified the Severity from High (8.8) to Medium (5.4) 3 months ago
lujiefsi modified the report
3 months ago
3 months ago


Modify the report to make it more clear

fossbilling/fossbilling maintainer has acknowledged this report 3 months ago
Belle Aerni modified the Severity from Medium (5.4) to Medium (4.6) 3 months ago
Belle Aerni
3 months ago


I've been able to replicate this and I've submitted proposed changes to resolve it. You can find the pull request here.

@admin please mark this one as valid

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.0 with commit 748d93 3 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jun 19th 2023
Belle Aerni published this vulnerability 3 months ago
to join this conversation