cbcvebase.
CVE-2023-27640
published 2023-06-01

CVE-2023-27640: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST…

PriorityP277high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.57%
87.9th percentile
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter type in the /tshirtecommerce/fonts.php endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). The content of the file is returned with base64 encoding. This is exploited in the wild in March 2023.

Affected

1 ranges
VendorProductVersion rangeFixed in
tshirtecommercecustom_product_designer<= 2.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/tshirtecommerce/fonts.php?name=2&type=./../index.php
path/tshirtecommerce/fonts.php
  • Look for HTTP requests (GET or POST) to /tshirtecommerce/fonts.php containing directory traversal sequences (e.g., ../) in the 'type' or 'name' parameters.
  • Responses from a successful exploit will return base64-encoded file contents; detect responses with status 200, Content-Type text/html, and a base64-decoded body containing both 'PrestaShop' and '<?php'.
  • Use the Google dork inurl:"/tshirtecommerce/" to identify potentially exposed PrestaShop instances running the vulnerable module.
  • The content of traversed files is returned base64-encoded in the HTTP response body; monitor for anomalously large base64 blobs in responses from fonts.php.
  • This vulnerability was actively exploited in the wild in March 2023; prioritize detection and patching for any PrestaShop instances with the tshirtecommerce module installed.
  • ·The traversal is unrestricted by file extension or path, meaning any readable file on the server (not just PHP files) can be exfiltrated via the 'type' parameter.
  • ·Both POST and GET parameters are exploitable for the traversal, so detection rules must cover both HTTP methods on the fonts.php endpoint.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.