An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field
The vulnerability classified as CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) allows an attacker to inject malicious formulas or payloads into the CSV field of the registration form. The lack of server-side input validation causes the uploaded content to be processed in an unsafe manner. As a result, arbitrary code execution on the server and obtaining elevated privileges in the system are possible.
An attacker can remotely execute arbitrary code on the server (RCE) without requiring any permissions, and subsequently escalate their privileges (privilege escalation), which may lead to complete takeover of the system and compromise of data confidentiality, integrity, and availability.
Hostbill should be updated to a version containing the security patch described in the vendor's official security advisory (https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/) and patches should be applied in accordance with the vendor's release notes from 27.11.2025 and 01.12.2025. It is also recommended to verify registration logs for anomalous input data in CSV fields.
Hostbill in versions 2025-11-24 and 2025-12-01
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H