VU#152953: PayRange Android ap... Note

VU#152953: PayRange Android app version 7.0.7 contains multiple vulnerabilities

PayRange is a mobile payment application designed for use with unattended machines like vending machines and laundromats. It allows users to make payments using their smartphones via Bluetooth. A critical vulnerability was identified in version 7.0.7 of the PayRange Android application. This vulnerability stems from two distinct security flaws. The first flaw (CVE-2026-13462) concerns the app's handling of SSL certificates within its WebViews. Specifically, the PayRange app incorrectly accepts invalid SSL certificates. The second vulnerability (CVE-2026-13461) permits JavaScript injection. This injection can lead to escaping the WebView sandbox, enabling malicious actions on the user's device. Attackers can exploit these vulnerabilities through on-path interception. They can redirect user traffic to their own controlled device. By presenting a trusted certificate matching specific rules, they can initiate a TLS connection. This allows them to inject content, harvest credentials, and execute unauthorized requests. For machine operators, this could extend to issuing commands to PayRange hardware with full operator permissions. Unfortunately, the vendor could not be reached to coordinate a fix. Users are advised to apply any available software updates from their hardware or software providers.