GoogleOSV:GHSA-8R4M-5P6P-52RPArbitrary file read via SQL injection
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
45.4%
Impact
It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD_FILE in a SELECT request. So It can access to critical information.
Patches
The patch will be on PS 8.0.4 and PS 1.7.8.9
References
github.com/PrestaShop/PrestaShop
github.com/PrestaShop/PrestaShop/commit/cddac4198a47c602878a787280d813f60c6c0630
github.com/PrestaShop/PrestaShop/commit/d900806e1841a31f26ff0a1843a6888fc1bb7f81
github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8r4m-5p6p-52rp
nvd.nist.gov/vuln/detail/CVE-2023-30545
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS
Percentile
45.4%