<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Facturascripts (&lt;= 2026.2) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/facturascripts--2026.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 23:36:54 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/facturascripts--2026.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>FacturaScripts: Account takeover of any 2FA-enabled user due to authentication bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-facturascripts-account-takeover/</link><pubDate>Mon, 13 Jul 2026 23:36:54 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-facturascripts-account-takeover/</guid><description>An authentication bypass vulnerability (CVE-2026-47677) in FacturaScripts' `/login?action=two-factor-validation` endpoint allows unauthenticated attackers to conduct a brute-force attack against Time-based One-Time Passwords (TOTP) for any 2FA-enabled user, including administrators, due to the absence of password verification, CSRF protection, and rate-limiting, leading to complete account takeover with high confidentiality and integrity impact, as well as potential denial of service via account lockout.</description><content:encoded><![CDATA[<p>Unauthenticated attackers can exploit an authentication bypass vulnerability, identified as CVE-2026-47677, in FacturaScripts' two-factor authentication (2FA) validation endpoint (<code>/login?action=two-factor-validation</code>). This flaw affects FacturaScripts versions up to and including 2026.2. The endpoint is designed to accept Time-based One-Time Passwords (TOTP) but critically lacks password verification, Cross-Site Request Forgery (CSRF) protection, and effective rate-limiting. This combination renders TOTP codes susceptible to brute-force attacks. Due to a lenient <code>VERIFICATION_WINDOW = 8</code>, approximately 17 distinct six-digit TOTP codes are simultaneously valid for a given user, significantly reducing the search space. A public Proof of Concept (PoC) demonstrates that an attacker, knowing only a target user's nickname (e.g., 'admin'), can successfully brute-force a valid TOTP code in minutes to an hour from a single IP address, leading to complete account takeover. This vulnerability grants attackers full access to compromised accounts, enabling high confidentiality and integrity impacts, and can also result in denial of service by locking legitimate users out of their accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a target FacturaScripts instance accessible via the network.</li>
<li>The attacker determines a valid username (<code>fsNick</code>) belonging to a 2FA-enabled account (e.g., 'admin', 'company_name', or user initials).</li>
<li>The attacker sends numerous HTTP POST requests to the <code>/login</code> endpoint, specifically targeting the <code>action=two-factor-validation</code> parameter.</li>
<li>Each POST request includes the target <code>fsNick</code> and an iterated 6-digit <code>fsTwoFactorCode</code> value.</li>
<li>The <code>twoFactorValidationAction()</code> endpoint processes these requests without requiring prior password authentication, validating a CSRF token, or applying rate-limiting, allowing for rapid brute-force attempts.</li>
<li>Due to the configured <code>TwoFactorManager::VERIFICATION_WINDOW = 8</code>, up to 17 TOTP codes are simultaneously valid for a single 30-second time slot, greatly facilitating the brute-force process.</li>
<li>Upon a successful guess of a valid <code>fsTwoFactorCode</code>, the server issues a complete session cookie pair (<code>fsNick</code> and <code>fsLogkey</code>) without further security checks.</li>
<li>The attacker uses the obtained session cookies to gain full and persistent access to the victim's account, allowing them to read sensitive data, modify records, change permissions, and potentially install malicious plugins.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-47677 leads to complete account takeover for any 2FA-enabled user within FacturaScripts, including administrative accounts. This results in high confidentiality impact, allowing attackers to access all data visible to the compromised user, such as invoices, customer information, accounting ledgers, attached files, and API keys. The integrity impact is also high, as attackers can create, modify, or delete records, alter user permissions, and potentially upload or install malicious code through admin privileges. Furthermore, the vulnerability enables a targeted denial of service (DoS) by allowing attackers to generate six failed 2FA attempts for a specific user, triggering an account lockout for 10 minutes (<code>MAX_INCIDENT_COUNT = 6</code>). This lockout mechanism can be repeatedly exploited, effectively blocking legitimate users from accessing their accounts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy a patch that implements the four fixes outlined in the advisory for CVE-2026-47677, specifically requiring password completion evidence (nonce), CSRF token validation, pre-check of user incidents, and reducing <code>TwoFactorManager::VERIFICATION_WINDOW</code> to 1.</li>
<li>Implement the suggested Sigma rule to detect attempts to access the vulnerable <code>/login?action=two-factor-validation</code> endpoint.</li>
<li>Enhance web server or WAF configurations to implement aggressive rate-limiting for POST requests to the <code>/login</code> endpoint, particularly those containing <code>action=two-factor-validation</code>.</li>
<li>Enable comprehensive web server access logging to monitor for repeated POST requests to <code>/login?action=two-factor-validation</code> from single source IP addresses.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>authentication-bypass</category><category>brute-force</category><category>2fa-bypass</category><category>web-application</category><category>facturascripts</category><category>php</category></item></channel></rss>