HostBill Denial-of-Service Vulnerability in Client Balance Component

A denial-of-service vulnerability has been identified in HostBill versions 2025-11-24 and 2025-12-01. The issue allows a remote attacker to disrupt services via the Client Balance component by assigning negative balances to client accounts. This action freezes the client's actual balance and marks all purchases as overdue, regardless of payment status, leading to billing inconsistencies and service disruptions.

Impact

Exploitation of this vulnerability causes service disruptions and billing inconsistencies for affected clients, by freezing their real account balance and marking all purchases as overdue, regardless of payment status.

Reproduction

To reproduce this vulnerability, log into the HostBill admin panel and navigate to 'Manage Clients'. Select a client and go to the 'Client Balance' section. Choose 'Add Credit to Customer' and enter a negative value as the credit amount. After submitting the change, the client's balance will become negative. When the client attempts to make a purchase, it will be marked as overdue and their actual balance will remain frozen.

Remediation

HostBill has released a security update for this vulnerability. Users are advised to update to the latest version, 2025-12-01, either manually or using the Auto-Update plugin.