simpleimportproduct- PrestaShop module vulnerability (CVE-2024-25846)

Modulesimpleimportproduct

Score

9.1 Critical

Date publish

27-02-2024

Versiones afectadas

Up to and including 6.7.0

Description

In the module "Product Catalog (CSV, Excel) Import" (simpleimportproduct) <= 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.

References

https://addons.prestashop.com/fr/import-...

Product mitre.org

https://security.friendsofpresta.org/mod...

Exploit Third Party Advisory mitre.org

https://addons.prestashop.com/fr/import-...

Product

https://security.friendsofpresta.org/mod...

Exploit Third Party Advisory

Metrics

cvssMetricV31
source	134c704f-9b21-4f2e-91b3-4a467353bcc0
type	Secondary
version	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
baseScore	9.1
baseSeverity	CRITICAL
attackVector	NETWORK
attackComplexity	LOW
privilegesRequired	HIGH
userInteraction	NONE
scope	CHANGED
confidentialityImpact	HIGH
integrityImpact	HIGH
availabilityImpact	HIGH
exploitabilityScore	2.3
impactScore	6