CVE-2023-27640
HIGH EXPLOITED IN THE WILD NUCLEItshirtecommerce Custom Product Designer < 2.1.4 - Path Traversal via Fonts Endpoint
Title source: llmExploitation Summary
CVE-2023-27640 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). A Nuclei detection template is also available.
Description
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter type in the /tshirtecommerce/fonts.php endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). The content of the file is returned with base64 encoding. This is exploited in the wild in March 2023.
Nuclei Templates (1)
PrestaShop tshirtecommerce - Directory Traversal
HIGHby MaStErChO
References (1)
Core 1
Core References
Exploit, Patch, Third Party Advisory
https://friends-of-presta.github.io/security-advisories/module/2023/03/30/tshirtecommerce_cwe-22.html
Scores
CVSS v3
7.5
EPSS
0.0357
EPSS Percentile
87.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
VulnCheck KEV
2023-06-01
InTheWild.io
2023-06-01
CWE
CWE-22
Status
published
Products (1)
tshirtecommerce/custom_product_designer
< 2.1.4
Published
Jun 01, 2023
Tracked Since
Feb 18, 2026