logo

Database

Lack of data validation - Path Traversal In prestashop/prestashop

Description

PrestaShop file access through path traversal

Impact

displayAjaxEmailHTML method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured.

This vulnerability can be exacerbated when coupled with CWE-502, which pertains to the Deserialization of Untrusted Data. Such a combination could potentially lead to a Remote Code Execution (RCE) vulnerability

Patches

8.1.1

Found by

Aleksey Solovev (Positive Technologies)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-395282. NVD-2023-395283. OSV-2023-395284. GHSA-hpf4-v7v2-95p25. GCVE-2023-39528

References

1. https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hpf4-v7v2-95p22. https://github.com/PrestaShop/PrestaShop/commit/11de3a84322fa4ecd0995ac40d575db61804724c

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-RXZVO – Vulnerability | Fluid Attacks Database