{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/goodoneuz/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-31843"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pay-uz"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-31843","RCE","Laravel","webserver"],"_cs_type":"advisory","_cs_vendors":["goodoneuz"],"content_html":"\u003cp\u003eThe goodoneuz/pay-uz Laravel package, specifically versions 2.2.24 and earlier, is vulnerable to unauthenticated remote code execution (RCE). The vulnerability, identified as CVE-2026-31843, resides in the \u003ccode\u003e/payment/api/editable/update\u003c/code\u003e endpoint. This endpoint is insecurely exposed via \u003ccode\u003eRoute::any()\u003c/code\u003e without requiring any form of authentication. This allows any remote attacker to directly write arbitrary, user-supplied input into existing PHP files. Because these files are payment hooks executed via \u003ccode\u003erequire()\u003c/code\u003e during standard payment processing, attackers can inject and execute arbitrary code on the server. This RCE vulnerability poses a severe risk to applications utilizing the vulnerable package, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to the \u003ccode\u003e/payment/api/editable/update\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request contains malicious PHP code within the POST parameters, designed for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe vulnerable endpoint uses \u003ccode\u003efile_put_contents()\u003c/code\u003e to write the attacker-supplied PHP code directly into an existing PHP file, overwriting its original content.\u003c/li\u003e\n\u003cli\u003eThe overwritten PHP file is located within the payment processing directory.\u003c/li\u003e\n\u003cli\u003eDuring normal payment processing, the application uses \u003ccode\u003erequire()\u003c/code\u003e to include and execute the modified PHP file.\u003c/li\u003e\n\u003cli\u003eThe attacker's malicious PHP code is executed on the server with the permissions of the web server user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the server, enabling activities like installing web shells.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31843 allows unauthenticated attackers to achieve remote code execution on the affected server. This could lead to complete compromise of the system, potentially affecting sensitive data such as customer payment information, API keys, and other confidential data stored within the Laravel application. The impact is particularly severe for e-commerce platforms and any application processing financial transactions using the vulnerable package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003egoodoneuz/pay-uz\u003c/code\u003e Laravel package to a patched version greater than 2.2.24 to remediate CVE-2026-31843.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003e/payment/api/editable/update\u003c/code\u003e endpoint as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Pay-UZ Laravel RCE Attempt\u003c/code\u003e to identify exploitation attempts via HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture HTTP POST request data for effective detection and investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-laravel-rce/","summary":"A critical unauthenticated remote code execution vulnerability exists in the goodoneuz/pay-uz Laravel package (\u003c= 2.2.24) due to direct user-controlled input being written to executable PHP files via the /payment/api/editable/update endpoint.","title":"Unauthenticated Remote Code Execution in goodoneuz/pay-uz Laravel Package","url":"https://feed.craftedsignal.io/briefs/2024-01-laravel-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Goodoneuz","version":"https://jsonfeed.org/version/1.1"}