Description

modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).

Remediation

References

CVE-2018-19355

Related Vulnerabilities

Zenphoto Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2015-5591)

WordPress Plugin Music Store Open Redirect (1.0.14)

WordPress Plugin FL3R FeelBox Multiple Vulnerabilities (8.1)

Magento Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vulnerability (CVE-2021-21016)

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-43945)

Severity

Critical

Classification

CVE-2018-19355 CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities