FOSSBilling suffers from a lack of sanitization in the handling of admin input values. This issue manifests when clients attempt to generate invoices for their orders. Specifically, in the PDF generation of invoices, the company name, editable through the admin portal, is included. An attacker with administrative access could exploit this vulnerability by inserting a malicious link within the company name field. Consequently, this alteration would impact every client, potentially leading to an open redirect vulnerability.
<a href="https://evil.com">CLick here</a>
>This sequence of actions reveals a critical vulnerability in the application, whereby an attacker with administrative privileges can exploit the lack of input sanitization. By injecting a malicious link into the company name field, the compromised HTML code propagates throughout the software, affecting all clients. Consequently, when generating invoices in PDF format, the malicious HTML code is rendered, potentially leading to various security risks and exposing users to the attacker’s intended actions.