CVE-2023-27637

Name of the Vulnerable Software and Affected Versions tshirtecommerce (aka Custom Product Designer) component version 2.1.4 for PrestaShop

Description An issue was discovered in the tshirtecommerce component, where an HTTP request can be forged with a compromised product id GET parameter to exploit an insecure parameter in the front controller file designer.php, potentially leading to a SQL injection. This issue has been exploited in the wild in March 2023.

Recommendations For version 2.1.4, consider disabling the product id GET parameter in the designer.php file until a patch is available. Restrict access to the designer.php file to minimize the risk of exploitation. Avoid using the product id parameter in the affected HTTP request until the issue is resolved.