CVE-2022-45448

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.
Configurations

Configuration 1 (hide)

cpe:2.3:a:prestashop:m4_pdf:*:*:*:*:*:prestashop:*:*

History

21 Nov 2024, 07:29

Type Values Removed Values Added
References () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites - Third Party Advisory () https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites - Third Party Advisory
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 3.5

22 Sep 2023, 19:33

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1
References (MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites - (MISC) https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites - Third Party Advisory
First Time Prestashop m4 Pdf
Prestashop
CPE cpe:2.3:a:prestashop:m4_pdf:*:*:*:*:*:prestashop:*:*

20 Sep 2023, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-20 13:15

Updated : 2024-11-21 07:29


NVD link : CVE-2022-45448

Mitre link : CVE-2022-45448

CVE.ORG link : CVE-2022-45448


JSON object : View

Products Affected

prestashop

  • m4_pdf
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')