CVE-2018-19355

Name of the Vulnerable Software and Affected Versions PrestaShop versions 1.5 through 1.7

Description The issue allows remote attackers to execute arbitrary code by uploading a php file via "modules/orderfiles/upload.php" with auptype equal to product, order, or cart. This affects upload destinations under "modules/productfiles", "modules/files", and "modules/cartfiles" respectively.

Recommendations For PrestaShop versions 1.5 through 1.7, consider disabling the "modules/orderfiles/ajax/upload.php" file in the Customer Files Upload addon until a patch is available. Restrict access to the "upload.php" file to minimize the risk of exploitation. Avoid using the auptype parameter in the affected API endpoint until the issue is resolved.