CVE-2022-45448

Name of the Vulnerable Software and Affected Versions M4 PDF plugin for Prestashop sites versions 3.2.3 and before

Description The M4 PDF plugin for Prestashop sites is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource "/m4pdf/pdf.php" uses templates to dynamically create documents. If the template does not exist, the application returns a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.

Recommendations For versions 3.2.3 and before, as a temporary workaround, consider restricting access to the "/m4pdf/pdf.php" endpoint until a patch is available. Avoid using the vulnerable parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.