Turkios

**Name of the Vulnerable Software and Affected Versions** FacturaScripts (affected versions not specified) **Description** Broken Access Control exists in the user update logic. The application fails to validate the `nick` parameter during a 'POST' request to the '/EditUser' endpoint. Although the user interface prevents editing this field, a user can bypass this restriction using a proxy to rename any account, including the Administrator. This allows an attacker to sabotage the system audit trail, perform malicious actions, and rename their account to evade detection or frame other users, which may lead to identity impersonation and data corruption due to orphaned internal references. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/EditUser' endpoint or implement server-side validation to ensure the `nick` parameter cannot be modified.