IA Informática Valencia

CVE-2019-19594 Remote Code Execution in Adobe Stock API Integration for PrestaShop

CVE Ref:  CVE-2019-19594
Release Date: 2019/12/05
Discover Credits: Andrea Iodice
Bulletin Author:  IA - Informática Avanzada
Contact: andrea@ia-informatica.com
Type:  Remote Code Execution
Level: High
CVSS: ?? 
Vulnerable Application: Prestashop (1.6 - 1.7)

Adobe Stock API Integration for PrestaShop
is a module that allow multiple vulnerabilities.

File: reset/modules/fotoliaFoto/multi_upload.php
Vulnerable Argument(s): $_FILES[´afme_multiupload´]

Proof of Concept:
POST FILES: http://hostname/reset/modules/fotoliaFoto/multi_upload.php, uploads files are in the default Prestashop image dir hostname/img/wlasne_foto/

reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file.

Disable function exec(), passthru(), shell_exec(), system(), delete or edit the vulnerable file. Disable PHP in images dir.

Contact Us

Powered by

Linux Apache PHP Mysql Metasploit HTML5