CVE-2025-64105
Deferred Deferred - Pending Action

Insecure Direct Object Reference in FOSSBilling Support Ticket System

Vulnerability report for CVE-2025-64105, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when rel_type=order, an authenticated client can create a support ticket that references another client's order they do not own. The ticketCreateForClient() method accepted rel_id without verifying order ownership for non-upgrade tasks, allowing clients to link a new ticket to another client's order by crafting the request. No cron task automatically processes cancel/upgrade requests from ticket relations; staff action is required. This affects integrity and confidentiality: staff could be misled into acting on the wrong order (e.g., cancellation or upgrade requests). While there is no client-to-client order data exposure, order IDs may appear in ticket context. This issue has been fixed in version 0.8.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
fossbilling fossbilling From 0.6.21 (inc) to 0.7.2 (inc)
fossbilling fossbilling 0.8.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects FOSSBilling versions 0.6.21 through 0.7.2 and is an Insecure Direct Object Reference (IDOR) issue in the support ticket creation workflow.

An authenticated client can manipulate the 'rel_id' parameter when 'rel_type=order' to create a support ticket that references another client's order, which they do not own.

The method ticketCreateForClient() accepted the rel_id without verifying ownership of the order for non-upgrade tasks, allowing clients to link new tickets to other clients' orders by crafting the request.

Although no direct client-to-client order data exposure occurs, order IDs may appear in the ticket context, potentially misleading staff into acting on the wrong order.

This issue was fixed in version 0.8.0.

Impact Analysis

This vulnerability impacts the integrity and confidentiality of order management within FOSSBilling.

Staff could be misled into acting on incorrect orders, such as processing cancellation or upgrade requests for orders they should not be handling.

While clients cannot directly access other clients' order data, the presence of order IDs in ticket contexts could cause confusion or incorrect administrative actions.

Mitigation Strategies

To mitigate this vulnerability, upgrade FOSSBilling to version 0.8.0 or later, where the issue has been fixed.

Additionally, ensure that staff carefully verify support tickets related to order cancellations or upgrades, as no automatic processing occurs and staff action is required.

Compliance Impact

The vulnerability affects the integrity and confidentiality of order-related information within the FOSSBilling system by allowing an authenticated client to create support tickets linked to orders they do not own. This could mislead staff into acting on incorrect orders, potentially impacting the accuracy and confidentiality of client data.

However, there is no direct exposure of client-to-client order data, and order IDs only appear in ticket context. The description does not explicitly mention impacts on compliance with standards such as GDPR or HIPAA.

Therefore, while the vulnerability could indirectly affect compliance by compromising data integrity and confidentiality, no specific compliance implications are detailed.

Detection Guidance

This vulnerability involves manipulation of the rel_id parameter when rel_type=order during support ticket creation by an authenticated client. Detection involves monitoring for unusual or unauthorized creation of support tickets referencing orders not owned by the client.

Since the issue is related to crafted requests targeting the ticketCreateForClient() method, network detection can focus on identifying HTTP requests to the support ticket creation endpoint that include rel_type=order with suspicious or unexpected rel_id values.

Suggested commands or approaches include:

  • Use web server logs or a network monitoring tool to filter HTTP POST requests to the ticket creation API endpoint containing the parameter rel_type=order.
  • Example using grep on web server logs: grep -i 'rel_type=order' /var/log/apache2/access.log
  • Analyze application logs for support ticket creation events where the rel_id does not match the authenticated client's orders.
  • Implement or review audit logs to track ticket creation requests and verify order ownership consistency.

Because the vulnerability requires authentication and low privileges, monitoring authenticated user actions and correlating ticket creation with order ownership is essential.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart