VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 8, 2023· Updated Sep 4, 2024

PrestaShop blockreassurance BO User can remove any file from server when adding a and deleting a block

CVE-2023-47109

Description

PrestaShop blockreassurance module v5.1.4- allows arbitrary file deletion via manipulated image path in block deletion, risking full site unavailability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PrestaShop blockreassurance module v5.1.4- allows arbitrary file deletion via manipulated image path in block deletion, risking full site unavailability.

Root

Cause

The PrestaShop blockreassurance module (versions prior to 5.1.4) contains a path traversal vulnerability in the block deletion process. A back‑office user with permissions to manage reassurance blocks can modify the HTTP request to set the custom_icon field to an arbitrary file path relative to the project root (e.g., _PS_ROOT_DIR_ . $blockPSR['custom_icon']). When the block is subsequently deleted, the module calls unlink() on that path without validating that it points to an allowed directory or file type [1][2].

Exploitation

To exploit, an authenticated back‑office user only needs the ability to add and delete reassurance blocks. During block creation or editing, the user intercepts the request and replaces the intended image filename with a path like /index.php (or any other file under the web root). The module stores the path as‑is in the database. When the delete action is triggered via displayAjaxDeleteBlock(), the code constructs the full path and removes the file – no further authentication or privilege escalation is required [2][3].

Impact

Successful exploitation allows the attacker to delete arbitrary files accessible to the web server process. Deleting critical files (e.g., index.php, configuration files) can render the entire PrestaShop website unavailable, leading to denial of service. Additionally, the attacker could remove security‑sensitive files such as .htaccess or custom templates, potentially enabling further attacks [3][4].

Mitigation

The vulnerability is patched in blockreassurance version 5.1.4. The fix restricts the deletion to files located in the module's dedicated image directory and introduces extension/ MIME‑type validation for uploaded images. All users of PrestaShop should update the module immediately. No workaround is provided for older versions [1][3][4].

References
  1. NVD - CVE-2023-47109
  2. Merge pull request #619 from matthieu-rolland/add-security-fixes · PrestaShop/blockreassurance@eec00da
  3. Merge pull request from GHSA-83j2-qhx2-p7jc · PrestaShop/blockreassurance@2d0e97b
  4. BO User can remove any file from server when adding a and deleting a block

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
prestashop/blockreassurancePackagist
< 5.1.45.1.4

Affected products

2

Patches

2
2d0e97bebf79

Merge pull request from GHSA-83j2-qhx2-p7jc

https://github.com/PrestaShop/blockreassuranceMatthieu RollandNov 8, 2023via ghsa
commit
eec00da564db

Merge pull request #619 from matthieu-rolland/add-security-fixes

https://github.com/PrestaShop/blockreassuranceMatthieu RollandNov 8, 2023via ghsa
commit
2 files changed · +47 9
  • blockreassurance.php+5 0 modified
    @@ -41,6 +41,11 @@ class blockreassurance extends Module implements WidgetInterface
     const POSITION_BELOW_HEADER = 1;
     const POSITION_ABOVE_HEADER = 2;
 
+    const PSR_HOOK_HEADER = 'PSR_HOOK_HEADER';
+    const PSR_HOOK_FOOTER = 'PSR_HOOK_FOOTER';
+    const PSR_HOOK_PRODUCT = 'PSR_HOOK_PRODUCT';
+    const PSR_HOOK_CHECKOUT = 'PSR_HOOK_CHECKOUT';
+
     /** @var string */
     public $name;
     /** @var string */
  • controllers/admin/AdminBlockListingController.php+42 9 modified
    @@ -70,7 +70,7 @@ public function displayAjaxDeleteBlock()
             $result = true;
             // Remove Custom icon
             if (!empty($blockPSR['custom_icon'])) {
-                $filePath = _PS_ROOT_DIR_ . $blockPSR['custom_icon'];
+                $filePath = _PS_ROOT_DIR_ . $this->module->img_path_perso . '/' . basename($blockPSR['custom_icon']);
                 if (file_exists($filePath)) {
                     $result = unlink($filePath);
                 }
@@ -100,12 +100,7 @@ public function displayAjaxSavePositionByHook()
         $value = Tools::getValue('value');
         $result = false;
 
-        if (!empty($hook) && in_array($value, [
-                blockreassurance::POSITION_NONE,
-                blockreassurance::POSITION_BELOW_HEADER,
-                blockreassurance::POSITION_ABOVE_HEADER,
-            ])
-        ) {
+        if ($this->isAuthorizedHookConfigurationKey($hook) && $this->isAuthorizedPositionValue($value)) {
             $result = Configuration::updateValue($hook, $value);
         }
 
@@ -148,6 +143,14 @@ public function displayAjaxSaveBlockContent()
         $type_link = (int) Tools::getValue('typelink');
         $id_cms = Tools::getValue('id_cms');
         $psr_languages = (array) json_decode(Tools::getValue('lang_values'));
+        $authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
+        $authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];
+
+        if (!empty($picto) && !in_array(pathinfo($picto, PATHINFO_EXTENSION), $authExtensions)) {
+            $errors[] = Context::getContext()->getTranslator()->trans('Image format not recognized, allowed formats are: .gif, .jpg, .png', [], 'Admin.Notifications.Error');
+
+            return $this->ajaxRenderJson(empty($errors) ? 'success' : 'error');
+        }
 
         $blockPsr = new ReassuranceActivity($id_block);
         if (!$id_block) {
@@ -173,8 +176,6 @@ public function displayAjaxSaveBlockContent()
             $filename = $customImage['name'];
 
             // validateUpload return false if no error (false -> OK)
-            $authExtensions = ['gif', 'jpg', 'jpeg', 'jpe', 'png', 'svg'];
-            $authMimeType = ['image/gif', 'image/jpg', 'image/jpeg', 'image/pjpeg', 'image/png', 'image/x-png', 'image/svg', 'image/svg+xml'];
             if (version_compare(_PS_VERSION_, '1.7.7.0', '>=')) {
                 // PrestaShop 1.7.7.0+
                 $validUpload = ImageManager::validateUpload(
@@ -249,4 +250,36 @@ public function displayAjaxUpdatePosition()
         // Response
         $this->ajaxRenderJson($result ? 'success' : 'error');
     }
+
+    /**
+     * @param string $hook
+     *
+     * @return bool
+     */
+    private function isAuthorizedHookConfigurationKey($hook)
+    {
+        return
+            !empty($hook) &&
+            in_array($hook, [
+                blockreassurance::PSR_HOOK_HEADER,
+                blockreassurance::PSR_HOOK_FOOTER,
+                blockreassurance::PSR_HOOK_PRODUCT,
+                blockreassurance::PSR_HOOK_CHECKOUT,
+            ], true)
+        ;
+    }
+
+    /**
+     * @param string $value
+     *
+     * @return bool
+     */
+    private function isAuthorizedPositionValue($value)
+    {
+        return in_array((int) $value, [
+            blockreassurance::POSITION_NONE,
+            blockreassurance::POSITION_BELOW_HEADER,
+            blockreassurance::POSITION_ABOVE_HEADER,
+        ], true);
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.