CVE-2022-45447— Prestashop 路径遍历漏洞

Path Traversal in M4 PDF plugin for Prestashop sites

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

对路径名的限制不恰当(路径遍历)

Prestashop 路径遍历漏洞

PrestaShop是美国PrestaShop公司的一套开源的电子商务解决方案。该方案提供多种支付方式、短消息提醒和商品图片缩放等功能。 Prestashop plugin M4 PDF 3.2.3 及之前版本存在安全漏洞，该漏洞源于/m4pdf/pdf.php 中的f参数未正确检查，会返回给定相对路径的任何文件，攻击者利用此漏洞可以从服务器下载 /etc/passwd。

N/A

N/A