Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the `hide_version_public` security setting. The FOSSBilling version is embedded in the query string of every `` and `` tag generated by the `script_tag` and `stylesheet_tag` Twig filters. This information is visible to all visitors — including unauthenticated guests — on every page, regardless of whether the `hide_version_public` setting is enabled. The `X-FOSSBilling-Version` HTTP header and the `guest.system.version` API endpoint correctly honour the `hide_version_public` setting, but the asset cache buster parameters were overlooked. Knowledge of the exact FOSSBilling version makes it significantly easier for malicious actors to identify known vulnerabilities applicable to a given installation and craft targeted exploits. While not a direct vulnerability on its own, it undermines the intended protection offered by the `hide_version_public` setting and facilitates reconnaissance. Version 0.8.0 contains a patch. There is no practical workaround that removes the version from asset URLs without modifying source code.
Details
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| unknown | — | — |
References
Similar Threats
- Unknown CVE-2022-0003
- Unknown CVE-2022-0303
- High CVE-2022-1206
- Unknown CVE-2022-0931
- Unknown CVE-2022-0094
Free Vulnerability Check
Is your WordPress site affected?
BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.
Scan My Site Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.