CVE-2023-39528

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the displayAjaxEmailHTML method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

Published: Aug 7, 2023
Updated: May 10, 2024
CVE: CVE-2023-39528
GHSA: GHSA-hpf4-v7v2-95p2
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.6
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
prestashop / prestashop	-	8.1.1
prestashop / prestashop	-	8.1.1

https://github.com/PrestaShop/PrestaShop/commit/11de3a84322fa4ecd0995ac40d575db61804724c
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hpf4-v7v2-95p2

Vulnerability Database

289,784

CVE-2023-39528