FacturaScripts, Broken Access Control, CVE-2026-32699 (Moderate)

By /

Listen to this Post

How the CVE Works

This flaw resides in the user update logic of the `EditUser` controller. When a user submits a profile change, the backend accepts a `nick` parameter in the POST request. The UI hides this field to prevent modifications, but a proxy can be used to inject an arbitrary value. The server processes that value without any server-side validation, failing to verify if the new `nick` matches the original username or if the current session is authorized to modify this immutable identifier. As a result, an authenticated attacker can rename any account, including the administrator, simply by intercepting the profile save request and altering the `nick` parameter. The application then logs the user out and allows re‑authentication with the new username and the original password. This trivial bypass effectively grants full control over account names, leading to broken access control and audit‑log corruption. The vulnerability is classified as CWE‑284 (Improper Access Control) with a CVSS v3.1 score of 4.3 (Medium). Affected versions include all FacturaScripts releases up to 2024.92.x‑dev.

DailyCVE Form

Platform: FacturaScripts
Version: 2024.92.x-dev
Vulnerability : Broken Access Control
Severity: Medium
date: 2026‑04‑28

Prediction: Patch 2026‑05‑28

What Undercode Say: Analytics

Check if the 'nick' parameter is accepted without validation
curl -X POST "https://target.com/EditUser" \
-H "Cookie: session=..." \
-d "nick=attacker&email=..."
Scan for vulnerable versions (2024.92.x-dev and earlier)
grep -r "facturascripts/facturascripts" composer.json | grep "2024.92"

Exploit

1. Log in as any user.

  1. Go to Profile → click Save while intercepting with Burp Suite.
  2. In the intercepted POST to /EditUser, replace `nick` with a new username.

4. Forward the request.

  1. Log out and re‑authenticate using the new username and the original password.

Protection from this CVE

  • Upgrade to a patched version when released (later than 2024.92.x‑dev).
  • Implement server‑side validation of the `nick` parameter: enforce immutability and check permissions.
  • Use a web application firewall (WAF) to block requests containing an unexpected `nick` field.

Impact

An attacker can rename the administrator account, effectively taking over the system. Audit logs become unreliable because entries linked to the original username become orphaned, allowing malicious actions to be hidden or misattributed. This undermines the entire accountability framework of the multi‑user environment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top