{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/facturascripts--2025--2026.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FacturaScripts (\u003e= 2025, \u003c= 2026.2)"],"_cs_severities":["critical"],"_cs_tags":["web-application","path-traversal","remote-code-execution","php"],"_cs_type":"advisory","_cs_vendors":["FacturaScripts"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, tracked as GHSA-hgjx-r89m-m7v4, exists in FacturaScripts versions 2025 up to and including 2026.2. The flaw resides in the \u003ccode\u003eUploadedFile::move()\u003c/code\u003e method, which incorrectly concatenates the destination path with the unsanitized \u003ccode\u003egetClientOriginalName()\u003c/code\u003e from user-supplied filenames. This allows an authenticated attacker to inject \u003ccode\u003e../\u003c/code\u003e segments into filenames during file uploads, bypassing the intended \u003ccode\u003eMyFiles/\u003c/code\u003e directory and writing arbitrary files to any location writable by the web server user. This primitive can be leveraged to achieve remote code execution (RCE) by uploading a specially crafted Apache \u003ccode\u003e.htaccess\u003c/code\u003e file into directories directly served by Apache (such as \u003ccode\u003eDinamic/Assets/\u003c/code\u003e), followed by a PHP payload disguised with a benign extension like \u003ccode\u003e.png\u003c/code\u003e. The vulnerability affects any user with upload privileges, including non-administrative roles.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker obtains valid credentials or an API token with file upload permissions (e.g., to \u003ccode\u003e/api/3/uploadfiles\u003c/code\u003e or \u003ccode\u003e/api/3/attachedfiles\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to a vulnerable upload endpoint (e.g., \u003ccode\u003e/api/3/uploadfiles\u003c/code\u003e), submitting a file with a malicious filename containing path traversal sequences, such as \u003ccode\u003e../Dinamic/Assets/.htaccess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUploadedFile::move()\u003c/code\u003e method in FacturaScripts processes this filename without proper sanitization, concatenating it with the base directory, causing the \u003ccode\u003e.htaccess\u003c/code\u003e file to be written into the \u003ccode\u003eDinamic/Assets/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe uploaded \u003ccode\u003e.htaccess\u003c/code\u003e file contains a directive like \u003ccode\u003eAddType application/x-httpd-php .png\u003c/code\u003e, instructing Apache to parse \u003ccode\u003e.png\u003c/code\u003e files as PHP scripts within that directory.\u003c/li\u003e\n\u003cli\u003eThe attacker then initiates a second file upload using the same path traversal technique, delivering a file named \u003ccode\u003e../Dinamic/Assets/x.png\u003c/code\u003e containing arbitrary PHP code (e.g., \u003ccode\u003e\u0026lt;?php phpinfo(); ?\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe PHP payload is written to \u003ccode\u003eDinamic/Assets/x.png\u003c/code\u003e due to the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eThe default Apache configuration for FacturaScripts (from \u003ccode\u003ehtaccess-sample\u003c/code\u003e) excludes \u003ccode\u003eDinamic/Assets/\u003c/code\u003e from \u003ccode\u003eindex.php\u003c/code\u003e rewrite rules, meaning files in this directory are served directly by Apache.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses \u003ccode\u003ehttps://target/Dinamic/Assets/x.png\u003c/code\u003e via a web browser or HTTP request, causing the Apache web server to execute the uploaded PHP code as the web-server user, resulting in remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of GHSA-hgjx-r89m-m7v4 allows an authenticated attacker to achieve full remote code execution (RCE) as the web-server user. This includes the ability to execute arbitrary commands, steal data, deface the website, or compromise the server hosting FacturaScripts. The attacker can also inject client-side script by overwriting legitimate JavaScript or CSS files within the \u003ccode\u003eDinamic/Assets/\u003c/code\u003e directory, leading to session takeover for administrators or other users on subsequent page loads. The vulnerability affects a wide range of users, as even non-administrative roles often possess the necessary upload permissions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM solution to detect attempts to upload malicious \u003ccode\u003e.htaccess\u003c/code\u003e or PHP files using path traversal.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP POST requests to \u003ccode\u003e/api/3/uploadfiles\u003c/code\u003e, \u003ccode\u003e/api/3/attachedfiles\u003c/code\u003e, or other file upload endpoints that include \u003ccode\u003e../\u003c/code\u003e sequences in the filename or \u003ccode\u003ecs-uri-query\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePatch FacturaScripts to a version greater than 2026.2 immediately upon availability of a fix, as specified in the GitHub Security Advisory GHSA-hgjx-r89m-m7v4.\u003c/li\u003e\n\u003cli\u003eImplement strong logging for \u003ccode\u003ewebserver\u003c/code\u003e activity, particularly for POST requests and file uploads, to enable detection of the described attack chain.\u003c/li\u003e\n\u003cli\u003eEnsure server configurations enforce least privilege for the web-server user to minimize potential damage from RCE.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:54:46Z","date_published":"2026-07-14T20:54:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-facturascripts-path-traversal-rce/","summary":"An authenticated attacker can exploit a path traversal vulnerability (GHSA-hgjx-r89m-m7v4) in FacturaScripts versions 2025 through 2026.2's file upload functionality to write arbitrary files outside intended directories, leading to remote code execution as the web-server user.","title":"FacturaScripts Path Traversal to Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-facturascripts-path-traversal-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - FacturaScripts (\u003e= 2025, \u003c= 2026.2)","version":"https://jsonfeed.org/version/1.1"}