{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/facturascripts--2026.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["facturascripts (\u003c= 2026.2)"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","brute-force","2fa-bypass","web-application","facturascripts","php"],"_cs_type":"advisory","_cs_vendors":["FacturaScripts"],"content_html":"\u003cp\u003eUnauthenticated attackers can exploit an authentication bypass vulnerability, identified as CVE-2026-47677, in FacturaScripts' two-factor authentication (2FA) validation endpoint (\u003ccode\u003e/login?action=two-factor-validation\u003c/code\u003e). This flaw affects FacturaScripts versions up to and including 2026.2. The endpoint is designed to accept Time-based One-Time Passwords (TOTP) but critically lacks password verification, Cross-Site Request Forgery (CSRF) protection, and effective rate-limiting. This combination renders TOTP codes susceptible to brute-force attacks. Due to a lenient \u003ccode\u003eVERIFICATION_WINDOW = 8\u003c/code\u003e, approximately 17 distinct six-digit TOTP codes are simultaneously valid for a given user, significantly reducing the search space. A public Proof of Concept (PoC) demonstrates that an attacker, knowing only a target user's nickname (e.g., 'admin'), can successfully brute-force a valid TOTP code in minutes to an hour from a single IP address, leading to complete account takeover. This vulnerability grants attackers full access to compromised accounts, enabling high confidentiality and integrity impacts, and can also result in denial of service by locking legitimate users out of their accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a target FacturaScripts instance accessible via the network.\u003c/li\u003e\n\u003cli\u003eThe attacker determines a valid username (\u003ccode\u003efsNick\u003c/code\u003e) belonging to a 2FA-enabled account (e.g., 'admin', 'company_name', or user initials).\u003c/li\u003e\n\u003cli\u003eThe attacker sends numerous HTTP POST requests to the \u003ccode\u003e/login\u003c/code\u003e endpoint, specifically targeting the \u003ccode\u003eaction=two-factor-validation\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eEach POST request includes the target \u003ccode\u003efsNick\u003c/code\u003e and an iterated 6-digit \u003ccode\u003efsTwoFactorCode\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etwoFactorValidationAction()\u003c/code\u003e endpoint processes these requests without requiring prior password authentication, validating a CSRF token, or applying rate-limiting, allowing for rapid brute-force attempts.\u003c/li\u003e\n\u003cli\u003eDue to the configured \u003ccode\u003eTwoFactorManager::VERIFICATION_WINDOW = 8\u003c/code\u003e, up to 17 TOTP codes are simultaneously valid for a single 30-second time slot, greatly facilitating the brute-force process.\u003c/li\u003e\n\u003cli\u003eUpon a successful guess of a valid \u003ccode\u003efsTwoFactorCode\u003c/code\u003e, the server issues a complete session cookie pair (\u003ccode\u003efsNick\u003c/code\u003e and \u003ccode\u003efsLogkey\u003c/code\u003e) without further security checks.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained session cookies to gain full and persistent access to the victim's account, allowing them to read sensitive data, modify records, change permissions, and potentially install malicious plugins.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-47677 leads to complete account takeover for any 2FA-enabled user within FacturaScripts, including administrative accounts. This results in high confidentiality impact, allowing attackers to access all data visible to the compromised user, such as invoices, customer information, accounting ledgers, attached files, and API keys. The integrity impact is also high, as attackers can create, modify, or delete records, alter user permissions, and potentially upload or install malicious code through admin privileges. Furthermore, the vulnerability enables a targeted denial of service (DoS) by allowing attackers to generate six failed 2FA attempts for a specific user, triggering an account lockout for 10 minutes (\u003ccode\u003eMAX_INCIDENT_COUNT = 6\u003c/code\u003e). This lockout mechanism can be repeatedly exploited, effectively blocking legitimate users from accessing their accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy a patch that implements the four fixes outlined in the advisory for CVE-2026-47677, specifically requiring password completion evidence (nonce), CSRF token validation, pre-check of user incidents, and reducing \u003ccode\u003eTwoFactorManager::VERIFICATION_WINDOW\u003c/code\u003e to 1.\u003c/li\u003e\n\u003cli\u003eImplement the suggested Sigma rule to detect attempts to access the vulnerable \u003ccode\u003e/login?action=two-factor-validation\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnhance web server or WAF configurations to implement aggressive rate-limiting for POST requests to the \u003ccode\u003e/login\u003c/code\u003e endpoint, particularly those containing \u003ccode\u003eaction=two-factor-validation\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server access logging to monitor for repeated POST requests to \u003ccode\u003e/login?action=two-factor-validation\u003c/code\u003e from single source IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T23:36:54Z","date_published":"2026-07-13T23:36:54Z","id":"https://feed.craftedsignal.io/briefs/2026-07-facturascripts-account-takeover/","summary":"An authentication bypass vulnerability (CVE-2026-47677) in FacturaScripts' `/login?action=two-factor-validation` endpoint allows unauthenticated attackers to conduct a brute-force attack against Time-based One-Time Passwords (TOTP) for any 2FA-enabled user, including administrators, due to the absence of password verification, CSRF protection, and rate-limiting, leading to complete account takeover with high confidentiality and integrity impact, as well as potential denial of service via account lockout.","title":"FacturaScripts: Account takeover of any 2FA-enabled user due to authentication bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-facturascripts-account-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed - Facturascripts (\u003c= 2026.2)","version":"https://jsonfeed.org/version/1.1"}