CVE-2023-27640

Name of the Vulnerable Software and Affected Versions tshirtecommerce (aka Custom Product Designer) component version 2.1.4 for PrestaShop

Description An issue allows a remote attacker to forge an HTTP request with the POST parameter type in the "/tshirtecommerce/fonts.php" endpoint, enabling directory traversal to open files without restriction on extension and path. The file content is returned with base64 encoding. This issue has been exploited in the wild in March 2023.

Recommendations For version 2.1.4, consider disabling access to the "/tshirtecommerce/fonts.php" endpoint until a patch is available. Restrict the use of the type parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.