Sainithin0309

**Name of the Vulnerable Software and Affected Versions** FOSSBilling versions prior to 0.8.0 **Description** The password reset confirmation endpoint "/client/reset-password-confirm/:hash" is handled by a non-API controller and is not covered by the system rate limiter, which only applies to "/api/*" routes. This allows an attacker to probe the endpoint for valid reset tokens without per-IP request limiting, attempt counting, or lockout mechanisms. The endpoint functions as an oracle, returning an HTTP 200 response for valid tokens and an HTTP 302 redirect for invalid ones. Similar architectural gaps exist for the admin password reset confirmation endpoint "/staff/email/:hash" and the email confirmation endpoint "/client/confirm-email/:hash". **Recommendations** Update to version 0.8.0. Configure a reverse proxy to apply per-IP rate limiting to the "/client/reset-password-confirm/*" and "/staff/email/*" paths. Use a WAF rule to limit request rates to these endpoints.

**Name of the Vulnerable Software and Affected Versions** FOSSBilling versions prior to 0.8.0 **Description** The Redirect module fails to validate the URL scheme of destination URLs configured by administrators before they are stored or issued. This allows the configuration of arbitrary external URLs as redirect targets, enabling open redirects that can be used in phishing attacks. When a user follows a legitimate URL, they may be silently redirected to an external site controlled by an attacker via a 301 (Moved Permanently) response, which is persistently cached by browsers. Exploitation requires administrator privileges to create or modify redirect entries. **Recommendations** Update to version 0.8.0. Restrict admin access to the Redirect module to trusted administrators only. Audit existing redirect entries in the `extension meta` table where `extension` is set to `mod redirect` for unexpected or external target URLs.