Cross-site Scripting in M4 PDF plugin for Prestashop sites
CVE-2022-45448

3.5LOW

Key Information:

Vendor: Prestashop
Status: M4 PDF Plugin
Vendor: CVE Published:; 20 September 2023

What is CVE-2022-45448?

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.

Affected Version(s)

M4 PDF plugin 0 <= 3.2.3

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Nov 16, 2022

Credit

Francisco Díaz-Pache Alonso

David Álvarez Robles

Sergio Corral Cristo