Description
Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan_valid calculation that allows organizations with exhausted or expired usage credit grants to bypass billing gates. Attackers can exploit the divergence between the plugin hot-path plan_valid expression and the authoritative billing gate to gain continued access to /updates, /stats, /channel_self, and attachment upload endpoints after credit depletion.
Problem types
Product status
Any version before 12.128.12
12.128.12 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-g9fc-82c2-p2r6
github.com/.../capgo/security/advisories/GHSA-g9fc-82c2-p2r6 (GitHub Security Advisory (GHSA-g9fc-82c2-p2r6))
www.vulncheck.com/...tion-bypass-via-exhausted-usage-credits (VulnCheck Advisory: Capgo - Billing Authorization Bypass via Exhausted Usage Credits)