Serious Security Vulnerability Discovered in Promotion in fossbilling/fossbilling


Reported on

Jun 9th 2023


I am writing to report a serious security vulnerability that we have uncovered. Specifically, we have found that promotions applied to certain client groups are still being honored even after the promotions are no longer applicable to those groups.

This means that attackers can potentially gain access to discounted products that should not be available to them, leading to revenue loss and jeopardizing the trust of your customers.

Proof of Concept

1 Log in to the website with administrator privileges

2 Navigate to the promotions section and identify a promotion that is applicable to a specific user group

4 Intercept the request in Burp Suite for any user within that group who orders the applicable product

5 Remove the group association for the Promotion

6 Continue intercepting the requests for any user within that group who orders the applicable product

Thank you for your attention to this matter. Please feel free to contact me if you have any additional questions.


As a responsible security researcher, I strongly urge you to investigate this issue and take immediate action to address it. This could include revoking access to the promotions for all users, modifying the code to correctly enforce the promotion restrictions, or implementing additional security measures to prevent unauthorized access.

We are processing your report and will contact the fossbilling team within 24 hours. 6 months ago
Belle Aerni modified the Severity from High (8.8) to Medium (5.4) 6 months ago
fossbilling/fossbilling maintainer has acknowledged this report 6 months ago
6 months ago



The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Belle Aerni validated this vulnerability 6 months ago

I've been able to validate this report and I've submitted a pull request to resolve it:

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Belle Aerni marked this as fixed in 0.5.0 with commit a02b1b 6 months ago
Belle Aerni has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jun 19th 2023
Belle Aerni published this vulnerability 6 months ago
to join this conversation