Executive Summary

The vulnerability CVE-2026-32699 affects FacturaScripts versions up to 2025.92. It involves improper validation of the 'nick' parameter in the EditUser controller during a POST request. Although the user interface prevents editing this field, an attacker can intercept and modify the 'nick' parameter using a proxy tool, allowing them to rename any account, including the administrator account.

This leads to broken access control because the application processes the change without proper validation. An attacker can log out and log back in with the new username while keeping the original password, enabling identity impersonation and sabotage of audit logs.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to rename accounts, including administrator accounts, which breaks access control.

It enables identity impersonation, meaning an attacker can assume another user's identity without knowing their password.

It can also corrupt audit logs and data integrity because internal references to the original usernames become orphaned, undermining accountability and system integrity in a multi-user environment.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the EditUser controller for modifications to the 'nick' parameter, which should normally be immutable.

Using a proxy tool like Burp Suite, you can intercept and inspect POST requests to check if the 'nick' parameter is being altered.

There are no specific commands provided in the resources, but network traffic inspection or web application firewall (WAF) logs can be used to identify suspicious POST requests containing changes to the 'nick' parameter.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves preventing unauthorized modification of the 'nick' parameter during POST requests to the EditUser controller.

You should restrict access to the EditUser controller to trusted users only and monitor for unusual changes to user account names.

Using a web application firewall (WAF) to block or alert on POST requests that attempt to modify the 'nick' parameter can help mitigate exploitation.

Additionally, updating FacturaScripts to a version later than 2025.92, where this vulnerability is fixed, is recommended as a permanent solution.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized modification of user account identifiers, including the administrator account, which leads to broken access control and potential audit log corruption.

Such unauthorized changes undermine data integrity and accountability, which are critical requirements in compliance frameworks like GDPR and HIPAA that mandate strict access controls and accurate audit trails.

By enabling identity impersonation and sabotage of audit logs, the vulnerability could result in non-compliance with these regulations due to failure to protect user identity and maintain reliable records of user actions.

Useful 0 Not Useful 0