Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
FOSSBilling's missing self-edit prevention in staff permission management allows persistent privilege escalation
Vulnerability Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow a low-privileged staff account to grant arbitrary module permissions to itself through the admin API, resulting in persistent privilege escalation. A staff user that only has `staff.create_and_edit_staff` can call `/api/admin/staff/permissions_update` targeting their own account and write any permission structure, bypassing the intended role-based access control boundary. Version 0.8.0 patches the issue. Some workarounds are available. Restrict the `staff.create_and_edit_staff` permission to only highly trusted staff members and/or use a reverse proxy or WAF to restrict access to `/api/admin/staff/permissions_update` to specific trusted roles.
CVSS Information
N/A
Vulnerability Type
特权管理不恰当
Vulnerability Title
FOSSBilling 权限许可和访问控制问题漏洞
Vulnerability Description
fossbilling是fossbilling团队开源的一种高效计费和客户管理方案。 FOSSBilling 0.8.0之前版本存在权限许可和访问控制问题漏洞,该漏洞源于低权限的员工账户可通过admin API授予自身任意模块权限,绕过基于角色的访问控制边界,导致持久权限提升。
CVSS Information
N/A
Vulnerability Type
N/A