CVE-2023-39529

MEDIUM6.7EPSS 0.92%

PrestaShop file deletion via attachment API

Published: 8/9/2023Modified: 2/16/2024

Also known as:GHSA-2rf5-3fw8-qm47BIT-prestashop-2023-39529

Description

### Impact It is possible to delete a file from the server by using the Attachments controller and the Attachments API. ### Patches 8.1.1 ### Found by Kto94 (via Yeswehack) ### Workarounds none ### References none

Affected packages (2)

Bitnami/prestashopfrom 0, < 8.1.1
Packagist/prestashop/prestashopfrom 0, < 8.1.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-39529
PATCHhttps://github.com/PrestaShop/PrestaShop
WEBhttps://github.com/PrestaShop/PrestaShop/commit/b08c647305dc1e9e6a2445b724d13a9733b6ed82
WEBhttps://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rf5-3fw8-qm47