漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serviceapikey get_info endpoint
Vulnerability Description
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest `serviceapikey/get_info` API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters (`custom_*` fields) stored in the key's database record. These custom fields are populated by billing administrators and can contain business-sensitive data such as pricing tiers, feature flags, rate limits, expiry overrides, or access scope data. Version 0.8.0 patches the issue. Some workarounds are available. Administrators can avoid storing sensitive data in `custom_*` API key configuration fields, monitor API logs for suspicious calls to `/api/guest/serviceapikey/get_info`, and/or disable the Serviceapikey module if not in active use.
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
FOSSBilling 信息泄露漏洞
Vulnerability Description
fossbilling是fossbilling团队开源的一种高效计费和客户管理方案。 FOSSBilling 0.5.3版本至0.7.2版本存在安全漏洞,该漏洞源于Guest服务apiKey/get_info API端点未经验证,任何持有有效API密钥的调用者可检索密钥数据库记录中的自定义配置参数,可能导致泄露定价层级、功能标志、速率限制、有效期覆盖或访问范围数据等业务敏感信息。
CVSS Information
N/A
Vulnerability Type
N/A