CVE Ref:  CVE-2019-19595

Release Date: 2019/12/05

Type:  Remote Code Execution

Level: High

CVSS: ?? 

Vulnerable Application: Prestashop (1.6 - 1.7)

Overview:

Adobe Stock API Integration for PrestaShop

is a module that allow multiple vulnerabilities.

Scope:
File: reset/modules/advanced_form_maker_edit/multiupload/upload.php
Vulnerable Argument(s): $_FILES[´myfile´]

Proof of Concept:

POST FILES: http://hostname/reset/modules/advanced_form_maker_edit/multiupload/upload.php, uploads files are in the same path inside uploads folder.

Description:
reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file.

Solutions:

Disable function exec(), passthru(), shell_exec(), system(), delete or edit the vulnerable file. Disable PHP in images dir.