CVE-2018-19355 : What You Need to Know

The 2018-08-01 version of the Customer Files Upload addon for PrestaShop (1.5 through 1.7) has a vulnerability in the modules/orderfiles/ajax/upload.php file, allowing remote attackers to execute arbitrary code.

Understanding CVE-2018-19355

This CVE involves a vulnerability in the Customer Files Upload addon for PrestaShop, potentially enabling remote code execution.

What is CVE-2018-19355?

This CVE refers to a security flaw in the Customer Files Upload addon for PrestaShop versions 1.5 through 1.7, which permits attackers to run arbitrary code by uploading a PHP file.

The Impact of CVE-2018-19355

The vulnerability in modules/orderfiles/ajax/upload.php can be exploited by remote attackers to execute malicious code on the affected system, posing a significant security risk.

Technical Details of CVE-2018-19355

The following technical details outline the specifics of this CVE.

Vulnerability Description

The vulnerability allows remote attackers to upload a PHP file using modules/orderfiles/upload.php and manipulate the auptype parameter to execute arbitrary code.

Affected Systems and Versions

PrestaShop versions 1.5 through 1.7

Exploitation Mechanism

Attackers can exploit this vulnerability by uploading a PHP file via modules/orderfiles/upload.php and setting the auptype parameter to product, order, or cart.

Mitigation and Prevention

Protect your systems from CVE-2018-19355 with the following measures.

Immediate Steps to Take

Disable or restrict access to the vulnerable addon and associated files.
Implement file upload restrictions and validation to prevent unauthorized uploads.

Long-Term Security Practices

Regularly update and patch PrestaShop and its addons to address security vulnerabilities.
Conduct security audits and penetration testing to identify and mitigate potential risks.

Patching and Updates

Apply security patches provided by PrestaShop to fix the vulnerability and enhance system security.