漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
FOSSBilling allows low-privileged staff accounts to perform unauthorized actions via admin API endpoints
Vulnerability Description
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the `can_always_access` module flag (which grants all staff access to certain modules) and insufficient permission checks or unsafe parameter handling on individual endpoints. Version 0.8.0 contains a fix. Some workarounds are available. Restrict staff accounts to only those who need access to sensitive settings and/or use a reverse proxy or WAF to restrict access to the affected endpoints to trusted IP addresses or higher-privilege roles.
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
FOSSBilling 信息泄露漏洞
Vulnerability Description
fossbilling是fossbilling团队开源的一种高效计费和客户管理方案。 FOSSBilling 0.8.0之前版本存在安全漏洞,该漏洞源于`can_always_access`模块标志与权限检查不足或单个端点上不安全的参数处理相结合,可能导致低权限员工账户通过admin API endpoints执行未经授权的操作。
CVSS Information
N/A
Vulnerability Type
N/A