CVE-2023-47109 - Vulnerability Details - OpenCVE

PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Prestashop	Customer Reassurance Block

Configuration 1 [-]

cpe:2.3:a:prestashop:customer_reassurance_block:*:*:*:*:*:prestashop:*:*

No data.

References

Link	Providers
https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa
https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823
https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4
https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-08T21:37:53.660Z

Updated: 2024-09-04T14:04:42.048Z

Reserved: 2023-10-30T19:57:51.673Z

Link: CVE-2023-47109

Vulnrichment

Updated: 2024-08-02T21:01:22.718Z

NVD

Status : Modified

Published: 2023-11-08T22:15:10.423

Modified: 2024-11-21T08:29:47.733

Link: CVE-2023-47109

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-47109", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-30T19:57:51.673Z", "datePublished": "2023-11-08T21:37:53.660Z", "dateUpdated": "2024-09-04T14:04:42.048Z"}, "containers": {"cna": {"title": "PrestaShop blockreassurance BO User can remove any file from server when adding a and deleting a block", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc"}, {"name": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa"}, {"name": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823"}, {"name": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4"}], "affected": [{"vendor": "PrestaShop", "product": "blockreassurance", "versions": [{"version": "<= 5.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-08T21:37:53.660Z"}, "descriptions": [{"lang": "en", "value": "PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.\n"}], "source": {"advisory": "GHSA-83j2-qhx2-p7jc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:01:22.718Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc"}, {"name": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa"}, {"name": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823"}, {"name": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-04T14:00:51.221248Z", "id": "CVE-2023-47109", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T14:04:42.048Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc", "name": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa", "name": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823", "name": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4", "name": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:01:22.718Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-47109", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-04T14:00:51.221248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-04T14:04:36.916Z"}}], "cna": {"title": "PrestaShop blockreassurance BO User can remove any file from server when adding a and deleting a block", "source": {"advisory": "GHSA-83j2-qhx2-p7jc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "PrestaShop", "product": "blockreassurance", "versions": [{"status": "affected", "version": "<= 5.1.3"}]}], "references": [{"url": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc", "name": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa", "name": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823", "name": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4", "name": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-08T21:37:53.660Z"}}}, "cveMetadata": {"cveId": "CVE-2023-47109", "state": "PUBLISHED", "dateUpdated": "2024-09-04T14:04:42.048Z", "dateReserved": "2023-10-30T19:57:51.673Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-11-08T21:37:53.660Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:customer_reassurance_block:*:*:*:*:*:prestashop:*:*", "matchCriteriaId": "B2227213-F29B-4017-8827-E0E3BC608ED0", "versionEndExcluding": "5.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.\n"}, {"lang": "es", "value": "PrestaShop blockreassurance agrega un bloque de informaci\u00f3n destinado a ofrecer informaci\u00f3n \u00fatil para asegurar a los clientes que la tienda es confiable. Al agregar un bloque en el m\u00f3dulo blockreassurance, un usuario BO puede modificar la solicitud http y proporcionar la ruta de cualquier archivo en el proyecto en lugar de una imagen. Al eliminar el bloque del BO, el archivo se eliminar\u00e1. Es posible hacer que el sitio web no est\u00e9 completamente disponible eliminando index.php, por ejemplo. Este problema se solucion\u00f3 en la versi\u00f3n 5.1.4."}], "id": "CVE-2023-47109", "lastModified": "2024-11-21T08:29:47.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.2, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-11-08T22:15:10.423", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/PrestaShop/blockreassurance/releases/tag/v5.1.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}