Fossbilling is Vulnerable to HTML Injection During the Generation of Invoices, Which Leads To An Open Redirect Vulnerability. in fossbilling/fossbilling


Reported on

Jul 1st 2023


FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An attacker with administrative access could exploit this vulnerability by inserting a malicious link within the company name field. Consequently, this alteration would impact every client, potentially leading to an open redirect vulnerability.

Proof of Concept

<a href=>CLick here</a>


  1. Log in to the application utilizing the administrator credentials.
  2. Access the URL:
  3. Modify the company name to "<a href=>Click here</a>" and save the changes.
  4. Now, Proceed to log in as any client.
  5. Place an order for a specific domain.
  6. Navigate to the invoice section and click on the PDF option.
  7. Observe that the previously injected malicious HTML code is rendered within the PDF document.

This sequence of actions reveals a critical vulnerability in the application, whereby an attacker with administrative privileges can exploit the lack of input sanitization. By injecting a malicious link into the company name field, the compromised HTML code propagates throughout the software, affecting all clients. Consequently, when generating invoices in PDF format, the malicious HTML code is rendered, potentially leading to various security risks and exposing users to the attacker's intended actions.


  1. Malware Distribution: The attacker may utilize the injected HTML code to deliver malicious payloads or initiate drive-by downloads. This can result in the installation of malware on the client's system, leading to potential data breaches, system compromise, or further propagation of malware within the network.
  2. Brand Reputation Damage: If customers or clients receive invoices containing the injected HTML code, it can erode trust and damage the reputation of the affected organization. Such incidents may lead to financial losses, loss of business opportunities, and a negative impact on customer loyalty.
  3. Open Redirect Vulnerability: The bug also introduces an open redirect vulnerability, enabling the attacker to redirect users to arbitrary external websites. This can be exploited to conduct phishing attacks, deliver malware, or trick users into unknowingly visiting malicious pages that exploit additional vulnerabilities.
  4. Phishing Attacks: The injected HTML code can contain phishing links, redirecting users to malicious websites that mimic legitimate ones. This can trick unsuspecting users into providing their login credentials, personal information, or financial details, thereby facilitating identity theft, fraud, or further exploitation.


the 'name' parameter does not have any mitigation for HTML tags

We are processing your report and will contact the fossbilling team within 24 hours. 3 months ago
Abhishek Morla submitted a
3 months ago
Belle Aerni modified the Severity from Medium (5.9) to Medium (4.8) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 3 months ago

Thanks, I was able to replicate this. Although FYI your POC video isn't public, but this is a really easy one to test so it's not a big deal. I'll get a version of the patch you provided up as PR on our repo

Abhishek Morla has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Abhishek Morla
3 months ago


Happy to have secured! Would it be possible to request the assignment of a CVE after the patch has been applied?

Belle Aerni marked this as fixed in 0.5.4 with commit f63486 3 months ago
Abhishek Morla has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 9th 2023
Service.php#L156 has been validated
Belle Aerni gave praise 3 months ago
Thanks again for finding this and submitting a patch, it's appreciated!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Abhishek Morla
3 months ago


Thank you for your prompt response. Could you kindly explain why this particular issue is not eligible for a CVE? I noticed that there are other CVEs with the same vulnerability and similar or lower CVSS scores that have been assigned.

Belle Aerni published this vulnerability 3 months ago
Belle Aerni
3 months ago


@admin when I marked this vulnerability as valid I originally selected that it would not receive a CVE, however I have since changed my mind. When publishing, I selected the option to assigning it a CVE, but it doesn't appear that went through. Can we please get a CVE assigned?

Thank you.

Abhishek Morla
2 months ago


@admin, can you please request a CVE for this vulnerability?

Abhishek Morla
2 months ago


@admin, can you please request a CVE for this vulnerability?

Abhishek Morla
2 months ago


@admin, can you please request a CVE for this vulnerability?

Ben Harvie
2 months ago


CVE assigned as requested:)

Abhishek, please avoid spamming the comment section and Chatwoot, we will get around to requests as quickly as we possibly can. Thanks!

to join this conversation