Path Traversal in M4 PDF plugin for Prestashop sites
CVE-2022-45447

6.5MEDIUM

Key Information:

Vendor: Prestashop
Status: M4 PDF Plugin
Vendor: CVE Published:; 20 September 2023

What is CVE-2022-45447?

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.

Affected Version(s)

M4 PDF plugin 0 <= 3.2.3

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Nov 16, 2022

Credit

Francisco Díaz-Pache Alonso

David Álvarez Robles

Sergio Corral Cristo