{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/152953#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nPayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. \r\n\r\n### Description\r\nA vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app.\r\n\r\nThe PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates):\r\n\r\n* Common Name ends with \"payrange.com\"\r\n* Common Name contains \"stripe.com\"\r\n* Common Name contains \"fetlifestatus.com\" AND any of these conditions are true:\r\n* Issuer Common Name is \"R10\"\r\n* Issuer Common Name is \"R3\"\r\n* Issuer Common Name contains \"Network Solutions\"\r\n\r\nThe attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers.\r\n\r\n### Impact\r\nAn attacker may be able to intercept any information they can convince the user to send through the app. If the user is a machine operator, the injected JavaScript code can also connect to PayRange hardware and issue commands with the full permissions of the operator.\r\n\r\n### Solution\r\nUnfortunately, we were unable to reach the vendor to coordinate this vulnerability. Apply the latest software updates provided by your hardware or software vendor as they become available.\r\n\r\n### Acknowledgements\r\nThanks to Tahi Wilton Geary for reporting this vulnerability. This document was written by Bob Kemerer.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/152953"},{"url":"https://payrange.com/","summary":"https://payrange.com/"},{"url":"https://play.google.com/store/apps/details?id=com.payrange.payrange&hl=en-US","summary":"https://play.google.com/store/apps/details?id=com.payrange.payrange&hl=en-US"}],"title":"PayRange Android app version 7.0.7 contains multiple vulnerabilities","tracking":{"current_release_date":"2026-07-09T17:14:15+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#152953","initial_release_date":"2026-07-09 17:03:26.066483+00:00","revision_history":[{"date":"2026-07-09T17:14:15+00:00","number":"1.20260709171415.2","summary":"Released on 2026-07-09T17:14:15+00:00"}],"status":"final","version":"1.20260709171415.2"}},"vulnerabilities":[{"title":"PayRange Android app, version 7.","notes":[{"category":"summary","text":"PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends."}],"cve":"CVE-2026-13462","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#152953"}]},{"title":"When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.","notes":[{"category":"summary","text":"When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange version 7.0.7 app. The injection of specific JavaScript function calls allows the attacker to escape the WebView sandbox and perform a number of dangerous actions on the user's device."}],"cve":"CVE-2026-13461","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#152953"}]}],"product_tree":{"branches":[]}}