Unrated severityNVD Advisory· Published Jun 1, 2023· Updated Jan 8, 2025

CVE-2023-27640

Description

An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter type in the /tshirtecommerce/fonts.php endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). The content of the file is returned with base64 encoding. This is exploited in the wild in March 2023.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

tshirtecommerce/Custom Product Designerdescription
Prestashop/tshirtecommerce (Custom Product Designer)llm-create
Range: = 2.1.4

Patches

Vulnerability mechanics

Root cause

"Missing input validation on the `type` parameter in `/tshirtecommerce/fonts.php` allows directory traversal."

Attack vector

An attacker sends an HTTP request to `/tshirtecommerce/fonts.php` with a crafted `type` parameter containing directory traversal sequences (e.g., `./../index.php`). The endpoint does not validate or sanitize the path, allowing the attacker to read arbitrary files on the server. The file content is returned base64-encoded. No authentication is required, and the attack can be performed over the network with low complexity [ref_id=1].

Affected code

The vulnerable endpoint is `/tshirtecommerce/fonts.php`, which accepts a `type` POST parameter. The advisory [ref_id=1] states that the module has not been maintained since 2019 and the issue remains unresolved in the latest version (2.1.4). No patch files are provided in the bundle.

What the fix does

No patch is available. The advisory [ref_id=1] notes that the module has not been maintained since 2019 and the vulnerability remains unresolved in the latest version (2.1.4). The recommended remediation is to remove the module entirely [ref_id=1]. A proper fix would require validating and sanitizing the `type` parameter to reject directory traversal sequences and restrict file access to an allowed set of paths.

Preconditions

configThe tshirtecommerce module (version <= 2.1.4) must be installed and accessible on the PrestaShop instance
networkThe attacker must be able to send HTTP POST requests to the /tshirtecommerce/fonts.php endpoint
authNo authentication or prior access is required
inputThe attacker provides a crafted 'type' parameter with directory traversal sequences

Reproduction

Send a POST request to the vulnerable endpoint with a directory traversal payload in the `type` parameter. For example:

``` POST /tshirtecommerce/fonts.php HTTP/1.1 Host: example.test Content-Type: application/x-www-form-urlencoded

name=2&type=./../index.php ```

The server responds with the contents of the requested file encoded in base64 [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

friends-of-presta.github.io/security-advisories/module/2023/03/30/tshirtecommerce_cwe-22.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000