Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29631: [CVE-2023-29631] Unrestricted upload vulnerability in Jms Slider (jmsslider) PrestaShop module

PrestaShop jmsslider 1.6.0 is vulnerable to Incorrect Access Control via ajax_jmsslider.php.

CVE
Open in Source
#vulnerability#web#php#rce#auth#ssl

The module Jms Slider (jmsslider) from Joommasters contains an unrestricted upload of file with dangerous type vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

Summary

  • CVE ID: CVE-2023-29631
  • Published at: 2023-03-13
  • Advisory source: Joomasters
  • Platform: PrestaShop
  • Product: jmsslider
  • Impacted release: at least 1.6.0
  • Product author: Joommasters
  • Weakness: CWE-434
  • Severity: critical (9.8)

Description

ajax_jmsslider.php can be called anonymously to upload a php file that can be used for RCE.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Proof of concept

curl -v -F "[email protected]" "https://preprod.XXX/modules/jmsslider/ajax_jmsslider.php?secure_key=VALUE_AVAILABLE_ON_FRONTOFFICE&action=addLayer&data_type=image&id_slide=99999"

Patch

Provided by the editor https://www.joommasters.com/index.php/blog/tutorials-and-case-studies/how-to-fix-security-bug-of-slider-security-breach-of-theme.html

Timeline

Date

Action

2019-09-04

Vulnerability publish by the editor

2023-02-17

Contact the author

2023-03-13

Publish this security advisory

Other recommandations

  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Links

  • Joom masters web site
  • Joom masters blog post on the vulnerability

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE