CVE-2023-27638

Name of the Vulnerable Software and Affected Versions tshirtecommerce (aka Custom Product Designer) component version 2.1.4 for PrestaShop

Description An issue was discovered in the tshirtecommerce component, where an HTTP request can be forged with a compromised tshirtecommerce design cart id GET parameter to exploit an insecure parameter in the functions hookActionCartSave and updateCustomizationTable, which could lead to a SQL injection. This issue has been exploited in the wild in March 2023.

Recommendations For version 2.1.4, consider disabling the hookActionCartSave and updateCustomizationTable functions until a patch is available. Restrict access to the tshirtecommerce design cart id GET parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.