CVE-2023-47109 – prestashop/blockreassurance

Package

Manager: composer
Name: prestashop/blockreassurance
Vulnerable Version: >=0 <5.1.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00239 pctl0.46895

Details

PrestaShop blockreassurance BO User can remove any file from server when adding a and deleting a block ### Impact When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. ### Patches v5.1.4 ### Workarounds No workaround available ### References

Metadata

Created: 2023-11-08T17:53:14Z
Modified: 2023-11-09T16:14:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-83j2-qhx2-p7jc/GHSA-83j2-qhx2-p7jc.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-83j2-qhx2-p7jc
Finding: F039
Auto approve: 1