tshirtecommerce- PrestaShop module vulnerability (CVE-2023-27638)

Moduletshirtecommerce

Score

9.8 Critical

Date publish

22-03-2023

Versiones afectadas

Versions from 2.1.4 up to and including 2.1.4

Description

An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised tshirtecommerce_design_cart_id GET parameter in order to exploit an insecure parameter in the functions hookActionCartSave and updateCustomizationTable, which could lead to a SQL injection. This is exploited in the wild in March 2023.

References

https://codecanyon.net/item/prestashop-c...

Product mitre.org

https://friends-of-presta.github.io/secu...

Exploit Patch Third Party Advisory mitre.org

https://tshirtecommerce.com/

Product mitre.org

https://codecanyon.net/item/prestashop-c...

Product

https://friends-of-presta.github.io/secu...

Exploit Patch Third Party Advisory

https://tshirtecommerce.com/

Product

Metrics

cvssMetricV31
source	nvd@nist.gov	134c704f-9b21-4f2e-91b3-4a467353bcc0
type	Primary	Secondary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
baseScore	9.8	9.8
baseSeverity	CRITICAL	CRITICAL
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	NONE	NONE
userInteraction	NONE	NONE
scope	UNCHANGED	UNCHANGED
confidentialityImpact	HIGH	HIGH
integrityImpact	HIGH	HIGH
availabilityImpact	HIGH	HIGH
exploitabilityScore	3.9	3.9
impactScore	5.9	5.9