+- The FOSSBilling Forum (https://forum.fossbilling.org)
+-- Forum: Official Posts (https://forum.fossbilling.org/forum-3.html)
+--- Forum: Security Alerts (https://forum.fossbilling.org/forum-5.html)
+--- Thread: SQL Injection: FOSSBilling <= 0.5.2 & All BoxBilling Releases (/thread-2.html)
SQL Injection: FOSSBilling <= 0.5.2 & All BoxBilling Releases - BelleNottelling - 07-25-2024
This is an old security report which was resolved in June of 2023. It has been posted on the new forum to ensure visibility for administrators who are running either BoxBilling or outdated FOSSBilling installations.
Description
All FOSSBilling releases older than version 0.5.3 (from June 30th, 2023) are vulnerable to SQL injection through publicly facing search API endpoints.
Additionally, the project that FOSSBilling is based on (BoxBilling) suffers from the same flaw in all existing releases (as of 07-24-24).
Severity: 9.8
SVE: CVE-2023-3490
Fix version: FOSSBilling version 0.5.3; No patch created for BoxBilling
Effected versions: FOSSBilling <= 0.5.2; All existing BoxBilling versions
Resolution: Upgrade to at least FOSSBilling version 0.5.3. BoxBilling users should look to migrate to new platforms.