CVE-2025-52289

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions MagnusBilling version 7.8.5.3

Description A broken access control issue in MagnusBilling version 7.8.5.3 allows newly registered users to gain escalated privileges. This is achieved by sending a crafted request to the /mbilling/index.php/user/save API endpoint to change their account status from "pending" to "active" without administrator approval.

Recommendations MagnusBilling version 7.8.5.3: Restrict access to the /mbilling/index.php/user/save API endpoint to authorized personnel only. MagnusBilling version 7.8.5.3: Implement stricter account status validation and require administrator approval for activating new user accounts.

Exploit

Fix

LPE

Improper Access Control

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-269

Related Identifiers

CVE-2025-52289

Affected Products

Magnusbilling

CVE-2025-52289

Weakness Enumeration

Related Identifiers

Affected Products

References · 8