Back to KEVs

CVE-2023-27639

An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the...

Basic Information

CVE State: PUBLISHED
Reserved Date: March 05, 2023
Published Date: June 01, 2023
Last Updated: January 09, 2025
Vendor: n/a
Product: n/a
Description: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). Only files that can be parsed in XML can be opened. This is exploited in the wild in March 2023.
Tags

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC Information

Exploitation: poc
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2023-06-01 00:00:00 UTC) Source

References

https://friends-of-presta.github.io/security-advisories/module/2023/03/30/tshirtecommerce_cwe-22.html

Known Exploited Vulnerability Information

Source	Added Date
CVE	2023-06-01 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-27639.yaml	2025-04-26 00:00:00 UTC

Timeline

CVE ID Reserved

March 05, 2023
CVE Published to Public

June 01, 2023
Added to KEVIntel

June 01, 2023
Detected by Nuclei

April 26, 2025