CVE-2023-45384

Vulnerability

The KnowBand "Module One Page Checkout, Social Login & Mailchimp" (supercheckout) for PrestaShop versions greater than 5.0.7 and less than 6.0.7 (i.e., 5.0.8 through 6.0.6) contains an unrestricted file upload vulnerability in the method SupercheckoutSupercheckoutModuleFrontController::saveFileTypeCustomField(). This method allows unauthenticated users to upload files with the .php extension, which are dangerous types [1].

Exploitation

An attacker with network access can exploit this vulnerability without any authentication or user interaction. By sending a crafted POST request to the vulnerable front controller, a guest can upload a malicious .php file. The advisory notes that attackers can conceal the module controller's path, making detection difficult; conventional frontend logs only show "POST /" [1]. This exploit is actively being used in the wild.

Impact

Successful exploitation allows arbitrary PHP file upload, leading to remote code execution (CWE-94). The attacker can achieve full compromise of the PrestaShop instance, including obtaining admin access, stealing data, and removing data. The CVSS score is 10 (critical) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability with a changed scope [1].

Mitigation

The vulnerability is fixed in version 6.0.7 of the supercheckout module. Users should upgrade to this version immediately. As a workaround, if upgrading is not possible, it is recommended to activate OWASP 933 rules on a Web Application Firewall (WAF), though this may break the backoffice and require pre-configured bypasses [1].