HostBill Denial-of-Service Vulnerability in Checkout Authentication Flow

A denial-of-service vulnerability has been identified in HostBill versions through 2025-12-01. The issue arises in the Checkout Authentication Flow component, where the server-side CAPTCHA validation is improperly enforced. This flaw allows remote attackers to bypass CAPTCHA protections and execute brute-force login attempts during the checkout process.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by allowing attackers to automate login attempts, potentially causing account lockouts or overwhelming the server with authentication requests.

Reproduction

To reproduce this vulnerability, add a product to the cart and proceed to checkout without logging in. Select the 'Already Registered Customer' option, which presents a login form with a CAPTCHA. However, the CAPTCHA is not validated by the server. By removing the CAPTCHA parameter or reusing the same CAPTCHA value, multiple login attempts can be sent without triggering validation or rate limits.

Remediation

Users are advised to update HostBill to the latest version.