{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/facturascripts--2025.71/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["facturascripts (\u003c= 2025.71)"],"_cs_severities":["critical"],"_cs_tags":["zip-slip","rce","factura scripts"],"_cs_type":"advisory","_cs_vendors":["FacturaScripts"],"content_html":"\u003cp\u003eFacturaScripts, a web application, is vulnerable to a critical remote code execution (RCE) vulnerability (CVE-2026-27891) due to a Zip Slip flaw in the plugin upload mechanism. Specifically, the \u003ccode\u003ePlugins::add()\u003c/code\u003e function fails to properly validate file paths within uploaded ZIP archives. This allows an attacker to inject malicious PHP code into arbitrary locations on the server by crafting a ZIP archive with path traversal sequences. The vulnerability affects FacturaScripts versions 2025.71 and earlier. Successful exploitation allows an attacker to gain complete control of the affected system, potentially leading to data theft, system compromise, or denial of service. This poses a significant threat to organizations using FacturaScripts for their business operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious ZIP archive containing a PHP file with a web shell, such as \u003ccode\u003erce.php\u003c/code\u003e. The malicious filename includes path traversal sequences like \u003ccode\u003eMyPlugin/../../rce.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the FacturaScripts web application with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the plugin management section.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted malicious ZIP archive through the \u0026ldquo;Add Plugin\u0026rdquo; functionality.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePlugins::add()\u003c/code\u003e function processes the uploaded ZIP file, bypassing the single root folder check with the \u003ccode\u003eValidPluginName\u003c/code\u003e prefix, but fails to properly sanitize the file paths.\u003c/li\u003e\n\u003cli\u003eThe ZIP archive is extracted, and the malicious PHP file \u003ccode\u003erce.php\u003c/code\u003e is written to an arbitrary location outside the intended plugin directory due to the \u003ccode\u003e../../\u003c/code\u003e path traversal sequence.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the injected PHP web shell (e.g., \u003ccode\u003ehttps://target.com/rce.php?cmd=whoami\u003c/code\u003e) with commands to execute.\u003c/li\u003e\n\u003cli\u003eThe web server executes the attacker\u0026rsquo;s command, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve Remote Code Execution (RCE) on the FacturaScripts server. The attacker can read all database configurations and files, modify any file on the server, and potentially delete the entire installation. This can lead to complete compromise of the system, data theft, and disruption of business operations. Given the sensitive nature of data often managed by FacturaScripts, such as financial records and customer information, the impact is considered high across confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FacturaScripts to a patched version beyond 2025.71 to remediate CVE-2026-27891.\u003c/li\u003e\n\u003cli\u003eImplement server-side input validation to sanitize uploaded filenames and prevent path traversal during ZIP extraction.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests to potentially injected PHP shells such as \u003ccode\u003e/rce.php\u003c/code\u003e using a rule like \u0026ldquo;Detect Access to Web Shell via GET Parameter\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect FacturaScripts Plugin Upload with Path Traversal\u0026rdquo; to identify malicious ZIP uploads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-facturascripts-rce/","summary":"FacturaScripts is vulnerable to remote code execution due to insufficient validation of file paths within uploaded ZIP archives, allowing a Zip Slip attack and arbitrary file write leading to RCE.","title":"FacturaScripts Remote Code Execution via Zip Slip Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-facturascripts-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Facturascripts (\u003c= 2025.71)","version":"https://jsonfeed.org/version/1.1"}