CVE-2023-27639
Description
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). Only files that can be parsed in XML can be opened. This is exploited in the wild in March 2023.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- tshirtecommerce/Custom Product Designerdescription
- Range: = 2.1.4
Patches
Vulnerability mechanics
Root cause
"Missing input validation and sanitization of the `file_name` POST parameter allows directory traversal."
Attack vector
An attacker sends an HTTP POST request to `tshirtecommerce/ajax.php?type=svg` with a crafted `file_name` parameter containing path traversal sequences (e.g., `./../`). The server does not validate or sanitize the path, allowing the attacker to traverse directories and open arbitrary files on the filesystem [ref_id=1]. Only files that can be parsed as XML will be successfully read; other files will cause an error. No authentication is required, and the attack can be performed over the network with low complexity [ref_id=1].
Affected code
The vulnerable endpoint is `tshirtecommerce/ajax.php?type=svg`, which accepts the POST parameter `file_name` to read files from the server. The advisory also identifies `tshirtecommerce/fonts.php` as a second vulnerable endpoint using the GET parameter `type` [ref_id=1]. The module version affected is 2.1.4, the latest release as of July 2019 [ref_id=1].
What the fix does
No patch has been released by the vendor; the module has not been maintained since 2019 [ref_id=1]. The advisory strongly recommends removing the module entirely, as the vulnerability remains unaddressed in the latest version [ref_id=1]. Without a fix, the only remediation is to uninstall or disable the tshirtecommerce module from the PrestaShop installation.
Preconditions
- configThe tshirtecommerce module version 2.1.4 (or earlier) must be installed and active on the PrestaShop instance
- authNo authentication or prior access is required
- networkThe attacker must be able to send HTTP requests to the PrestaShop server
- inputThe attacker supplies a crafted file_name POST parameter with directory traversal sequences
Reproduction
Send a POST request to the vulnerable endpoint with a path traversal payload in the `file_name` parameter. For example:
``` curl --request POST 'https://example.test/tshirtecommerce/ajax.php?type=svg' \ --data-urlencode 'file_name=./../config/settings.inc.php' ```
The server will attempt to parse the target file as XML and return its contents if parsing succeeds [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.