CVE-2024-41651

An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).
References
Link Resource
https://github.com/Fckroun/CVE-2024-41651/tree/main Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

History

09 Oct 2024, 18:15

Type Values Removed Values Added
Summary (en) An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. (en) An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).

03 Oct 2024, 13:45

Type Values Removed Values Added
CPE cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*
CWE CWE-918
References () https://github.com/Fckroun/CVE-2024-41651/tree/main - () https://github.com/Fckroun/CVE-2024-41651/tree/main - Exploit, Third Party Advisory
First Time Prestashop prestashop
Prestashop
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 8.1

14 Aug 2024, 21:35

Type Values Removed Values Added
CWE CWE-94
Summary
  • (es) Un problema en Prestashop v.8.1.7 y anteriores permite a un atacante remoto ejecutar código arbitrario a través de la funcionalidad de actualización del módulo.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

12 Aug 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 17:15

Updated : 2024-10-09 18:15


NVD link : CVE-2024-41651

Mitre link : CVE-2024-41651

CVE.ORG link : CVE-2024-41651


JSON object : View

Products Affected

prestashop

  • prestashop
CWE
CWE-918

Server-Side Request Forgery (SSRF)

CWE-94

Improper Control of Generation of Code ('Code Injection')