{"vuid":"VU#152953","idnumber":"152953","name":"PayRange Android app version 7.0.7 contains multiple vulnerabilities","keywords":null,"overview":"### Overview\r\nPayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. \r\n\r\n### Description\r\nA vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app.\r\n\r\nThe PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates):\r\n\r\n* Common Name ends with \"payrange.com\"\r\n* Common Name contains \"stripe.com\"\r\n* Common Name contains \"fetlifestatus.com\" AND any of these conditions are true:\r\n* Issuer Common Name is \"R10\"\r\n* Issuer Common Name is \"R3\"\r\n* Issuer Common Name contains \"Network Solutions\"\r\n\r\nThe attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers.\r\n\r\n### Impact\r\nAn attacker may be able to intercept any information they can convince the user to send through the app. If the user is a machine operator, the injected JavaScript code can also connect to PayRange hardware and issue commands with the full permissions of the operator.\r\n\r\n### Solution\r\nUnfortunately, we were unable to reach the vendor to coordinate this vulnerability. Apply the latest software updates provided by your hardware or software vendor as they become available.\r\n\r\n### Acknowledgements\r\nThanks to Tahi Wilton Geary for reporting this vulnerability. This document was written by Bob Kemerer.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://payrange.com/","https://play.google.com/store/apps/details?id=com.payrange.payrange&hl=en-US"],"cveids":["CVE-2026-13461","CVE-2026-13462"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2026-07-09T17:03:26.214133Z","publicdate":"2026-07-09T17:03:26.066483Z","datefirstpublished":"2026-07-09T17:03:26.232973Z","dateupdated":"2026-07-09T17:14:15.741569Z","revision":2,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":215}