HostBill Arbitrary Code Execution and Privilege Escalation Vulnerability

A vulnerability in HostBill versions through 2025-11-24 and 2025-12-01 allows remote attackers to execute arbitrary code and escalate privileges. This issue arises from a lack of proper server-side validation in the admin panel, particularly in the client import feature that accepts CSV files. Administrators can bypass mandatory registration field requirements, leading to the creation of invalid or incomplete client records. Additionally, the vulnerability can be exploited by manipulating registration field configuration requests to modify or bypass restrictions on essential fields such as username, email, and password.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution on the server and allow attackers to gain elevated privileges, potentially compromising the entire application and its data.

Reproduction

The vulnerability can be reproduced by logging into the HostBill admin panel and navigating to 'Manage Clients' -> 'Import Clients (CSV)'. After uploading a CSV file with invalid or missing values, such as an empty email or a weak password, the application will create client records without any validation errors. Alternatively, the vulnerability can be exploited by intercepting and modifying requests related to registration field management to bypass restrictions on mandatory fields.

Remediation

Users are advised to update HostBill to the latest version, available through the Microsoft Update Catalog.