First published: Wed Sep 20 2023(Updated: )
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.
Credit: cve-coordination@incibe.es cve-coordination@incibe.es
Affected Software | Affected Version | How to fix |
---|---|---|
Prestashop M4 Pdf | <=3.2.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-45448 is a vulnerability in the M4 PDF plugin for Prestashop sites, version 3.2.3 and earlier, that allows for arbitrary HTML Document crafting.
CVE-2022-45448 affects Prestashop sites that have the M4 PDF plugin installed, specifically versions 3.2.3 and earlier.
CVE-2022-45448 has a severity level of medium, with a CVSS score of 6.1.
To fix CVE-2022-45448, it is recommended to update the M4 PDF plugin for Prestashop sites to version 3.2.4 or later.
You can find more information about CVE-2022-45448 at the following link: [https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites](https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites)