Yagiz-Dev

**Name of the Vulnerable Software and Affected Versions** FOSSBilling versions prior to 0.8.0 **Description** FOSSBilling leaks the exact system version through asset cache buster parameters in HTML output, which bypasses the `hide version public` security setting. The version is embedded in the query string of every `<script>` and `<link>` tag generated by the `script tag` and `stylesheet tag` Twig filters. This information is visible to all visitors, including unauthenticated guests, on every page. While the `X-FOSSBilling-Version` HTTP header and the `guest.system.version` API endpoint correctly honor the security setting, the asset cache buster parameters do not. This exposure facilitates reconnaissance by allowing actors to identify known issues applicable to a specific installation. **Recommendations** Update to version 0.8.0.