{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/scramble-0.13.2---0.13.21/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["scramble (0.13.2 - 0.13.21)"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","php"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eA remote code execution vulnerability, identified as CVE-2026-44262, affects Scramble versions 0.13.2 up to 0.13.21. This flaw stems from the evaluation of user-controlled input within validation rules when documentation endpoints are publicly accessible. Specifically, during the generation of API documentation, request supplied data that is referenced in the validation rules can be evaluated, resulting in the execution of arbitrary PHP code within the application\u0026rsquo;s context. This vulnerability allows unauthenticated attackers to potentially gain full control of the affected system. The issue has been addressed in Scramble version 0.13.22. Defenders should prioritize patching to mitigate the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Scramble application running a vulnerable version (0.13.2 - 0.13.21) with publicly accessible documentation endpoints, such as \u003ccode\u003e/docs/api\u003c/code\u003e or \u003ccode\u003e/docs/api.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the application\u0026rsquo;s validation rules to identify endpoints that utilize user-controlled input (e.g., request parameters) within validation expressions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a payload designed to inject PHP code into the validation rule\u0026rsquo;s expression.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to an endpoint that triggers the vulnerable validation rule.\u003c/li\u003e\n\u003cli\u003eDuring the documentation generation process, Scramble evaluates the malicious input, leading to the execution of the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s PHP code executes within the application\u0026rsquo;s context, potentially allowing them to read sensitive files, execute system commands, or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to move laterally within the network, escalate privileges, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary PHP code on the affected server. This can lead to complete system compromise, including data theft, modification, or destruction. Given the nature of RCE vulnerabilities, the impact is considered critical. The number of affected systems depends on the prevalence of Scramble within publicly accessible environments, but any unpatched instance is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Scramble to version 0.13.22 or later to patch CVE-2026-44262.\u003c/li\u003e\n\u003cli\u003eRestrict access to documentation endpoints (\u003ccode\u003e/docs/api\u003c/code\u003e, \u003ccode\u003e/docs/api.json\u003c/code\u003e) to trusted networks or users as a workaround if patching is not immediately feasible.\u003c/li\u003e\n\u003cli\u003eReview and eliminate the use of user-controlled variables inside validation rule expressions, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to detect and block requests containing potentially malicious PHP code in request parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-scramble-rce/","summary":"Scramble versions 0.13.2 through 0.13.21 are vulnerable to remote code execution due to the evaluation of user-controlled input in validation rules during documentation generation, potentially allowing attackers to execute arbitrary PHP code.","title":"Scramble Remote Code Execution via User-Controlled Input","url":"https://feed.craftedsignal.io/briefs/2024-01-scramble-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Scramble (0.13.2 - 0.13.21)","version":"https://jsonfeed.org/version/1.1"}