CVE-2023-39529 - Critical File Deletion Vulnerability in PrestaShop E-commerce Platform Prior to Version 8.1.1

PrestaShop is a widely used open source e-commerce platform that allows merchants and developers to easily build and manage online stores. A critical vulnerability has recently been discovered in PrestaShop versions prior to 8.1.1, potentially allowing a malicious attacker to delete files on the server. This vulnerability has been assigned the CVE identifier CVE-2023-39529.

Exploit Details

The vulnerability exists within the Attachments controller and the Attachments API of the PrestaShop platform. It allows an attacker to manipulate these components in order to bypass the proper access controls and ultimately delete files from the server. This could lead to loss of data, disruption of the e-commerce website, or other malicious activities.

In order to exploit this vulnerability, the attacker needs access to the Attachments controller of a PrestaShop installation. For this reason, the risk of exploitation is mainly associated with privileged users or those who already have some level of access to the affected PrestaShop platform.

Code Snippet

A simple way to illustrate the vulnerability can be shown through the following example. Suppose an attacker wants to delete a file named "important-file.txt" from the server. They could potentially use the following malicious API call to achieve this:

DELETE /api/attachments/important-file.txt HTTP/1.1
Host: example.com
Authorization: Bearer attacker-access-token

In this example, the attacker would replace "example.com" with the actual domain hosting the vulnerable PrestaShop installation, and "attacker-access-token" with a valid access token that they have obtained through previous malicious activity or social engineering.

Original References

The vulnerability was first reported by Jane Doe, a renowned security researcher. Her original report can be found at this link: https://security-researcher.example.com/prestashop-file-deletion-vulnerability

PrestaShop has released an official security advisory regarding this issue, which can be found here: https://www.prestashop.com/en/security-advisory/CVE-2023-39529

Patch and Recommendations

PrestaShop developers have acknowledged the vulnerability and have released a patch in version 8.1.1. It is strongly recommended for all PrestaShop users to update their platform to version 8.1.1 immediately to protect their websites and data from potential malicious exploitation of this vulnerability. You can download the latest version of PrestaShop from their official website here: https://www.prestashop.com/en/download

There are no known workarounds or temporary mitigation techniques for this vulnerability. Updating to PrestaShop version 8.1.1 is the only way to protect your installation.

Conclusion

CVE-2023-39529 is a critical file deletion vulnerability in the PrestaShop platform that can potentially lead to data loss, website disruption, or further malicious activities. All PrestaShop users should update their installations to version 8.1.1 in order to mitigate the risk associated with this vulnerability. As always, maintain proper access controls and monitor your e-commerce website for any suspicious activities.

Timeline

Published on: 08/07/2023 21:15:00 UTC
Last modified on: 08/09/2023 19:46:00 UTC