First published: Wed Nov 08 2023(Updated: )
### Impact When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. ### Patches v5.1.4 ### Workarounds No workaround available ### References
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/prestashop/blockreassurance | <=5.1.3 | 5.1.4 |
<5.1.4 |
https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa
https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-47109.
The impact of CVE-2023-47109 is that a back-office user can modify the HTTP request in the blockreassurance module and delete files, potentially making the website completely unavailable.
The severity of CVE-2023-47109 is medium, with a severity value of 5.5.
To fix CVE-2023-47109, update the PrestaShop/blockreassurance package to version 5.1.4 or later.
You can find more information about CVE-2023-47109 in the following references: [GitHub Advisory](https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-83j2-qhx2-p7jc), [Commit 1](https://github.com/PrestaShop/blockreassurance/commit/2d0e97bebf795690caffe33c1ab23a9bf43fcdfa), [Commit 2](https://github.com/PrestaShop/blockreassurance/commit/eec00da564db4c1804b0a0d1e3d9f7ec4e27d823).