CVE-2023-39528: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

August 9, 2023 (updated August 10, 2023)

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the displayAjaxEmailHTML method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

References

github.com/PrestaShop/PrestaShop/commit/11de3a84322fa4ecd0995ac40d575db61804724c
github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hpf4-v7v2-95p2
github.com/advisories/GHSA-hpf4-v7v2-95p2
nvd.nist.gov/vuln/detail/CVE-2023-39528

Code Behaviors & Features

Detect and mitigate CVE-2023-39528 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →