Possible Vulnerability: Unauthorized Emails Being Added to mod_email_queue

Possible Vulnerability: Unauthorized Emails Being Added to mod_email_queue - Printable Version

+- The FOSSBilling Forum (https://forum.fossbilling.org)
+-- Forum: Support (https://forum.fossbilling.org/forum-7.html)
+--- Forum: Support - Bugs & Errors (https://forum.fossbilling.org/forum-10.html)
+--- Thread: Possible Vulnerability: Unauthorized Emails Being Added to mod_email_queue (/thread-525.html)

Possible Vulnerability: Unauthorized Emails Being Added to mod_email_queue - moefriend - 12-02-2025

Hello FOSSBilling community,

I'm experiencing an attack (after an abusive free user harassed us Undecided

) where unauthorized emails are being added to the `mod_email_queue` table, and I suspect there may be a vulnerability in FOSSBilling's email queue handling.

Issue Summary:
- Hundreds of identical payment reminder emails are being queued to the email address linked to a FOSSBilling client user & invoice
- These emails are appearing in the database with status 'unsent' and incrementing IDs
- With cron jobs, these emails are sent in batch with extremely high volume
- The emails reference an already suspended client_id but are being triggered repeatedly by the cron jobs (before I purged the `mod_email_queue` table)

Database Dump from the `mod_email_queue` table:

(3115, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
(3116, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
(3117, '[REDACTED_SPAMMER_EMAIL]', '[REDACTED_FOSSBILLING_SUPPORT_EMAIL]', '[[MY_FOSSBILLING_DOMAIN].org] Payment Reminder', ...),
-- Continues with thousands of incrementing IDs

All entries:
- Have `status: 'unsent'` and getting queued when cron job runs
- Reference the same invoice, same user

Unlikely:
- Direct database compromise (no other tables affected, no admin accounts created)
- Server-level compromise (no unauthorized file access)
- Compromised admin panel (no suspicious FB login activity)

Current Theory:
I suspect there may be an unauthenticated API endpoint or a flaw in the email queue system that allows external parties to inject predefined (hopefully not arbitrary) system emails into the queue.

My Setup:
- FOSSBilling version: 0.7.2
- PHP version: 8.4.8
- MySQL version: 8.0.44

Security dashboard at /admin/security:
- All checks passed

I've cleared the malicious queue entries and am monitoring for new insertions, but I need to identify and patch the root cause.
Has anyone else experienced this? Is this a known issue, and if so, what's the recommended fix?

Any guidance would be greatly appreciated.