Executive Summary

CVE-2026-43924 is an open redirect vulnerability in FOSSBilling versions 0.1.0 through 0.7.2. The Redirect module does not validate the URL scheme of administrator-configured redirect targets before storing or issuing redirects.

This allows an attacker with administrator privileges to configure arbitrary external URLs as redirect targets. As a result, users who follow legitimate FOSSBilling URLs can be silently redirected to attacker-controlled external sites.

The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact of the attack.

Exploitation requires administrator privileges to create or modify redirect entries, so it is mainly a risk in multi-admin environments or if an admin account is compromised.

The issue was fixed in version 0.8.0, and workarounds include restricting admin access to the Redirect module and auditing existing redirect entries for unexpected or external URLs.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited to perform phishing attacks by redirecting users from legitimate FOSSBilling URLs to attacker-controlled external sites without their knowledge.

Because the redirect uses a 301 (Moved Permanently) response, browsers cache the redirect persistently, which can cause repeated redirection to malicious sites even after the initial attack.

The impact is limited by the requirement for administrator privileges to create or modify redirect entries, so it mainly affects environments with multiple administrators or where an admin account has been compromised.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by auditing the existing redirect entries configured by administrators in the FOSSBilling system. Specifically, you should check the redirect targets stored in the database table `extension_meta` where `extension = 'mod_redirect'` for any unexpected or external URLs that could indicate an open redirect configuration.

Since the vulnerability involves administrator-configured redirect URLs, detection involves querying the database for redirect entries and inspecting them for suspicious external URLs.

• Run a SQL query on the FOSSBilling database to list redirect entries, for example:
• SELECT * FROM extension_meta WHERE extension = 'mod_redirect';
• Review the results for any redirect URLs that point to external or untrusted domains.

Additionally, monitoring HTTP responses for 301 redirects issued by the FOSSBilling Redirect module to external URLs can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation steps include upgrading FOSSBilling to version 0.8.0 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, apply the following workarounds:

• Restrict administrator access to the Redirect module to only trusted administrators.
• Audit the existing redirect entries in the database (in the `extension_meta` table with `extension = 'mod_redirect'`) and remove or correct any redirect URLs that point to external or untrusted sites.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an open redirect to attacker-controlled external URLs, which can be exploited for phishing attacks by redirecting users silently from legitimate FOSSBilling URLs.

Such phishing risks could potentially lead to unauthorized access or data exposure, which may impact compliance with standards like GDPR or HIPAA that require protection of user data and prevention of unauthorized access.

However, exploitation requires administrator privileges, limiting the practical risk to environments with multiple administrators or compromised admin accounts.

Mitigations such as restricting admin access and auditing redirect entries can reduce the risk and help maintain compliance.

Useful 0 Not Useful 0