#VU44476 Code Injection in PrestaShop
Vulnerability identifier: #VU44476
Vulnerability risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-94
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
PrestaShop
Web applications /
E-Commerce systems
Vendor: PrestaShop SA
Description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter.
Mitigation
Install update from vendor's website.
Vulnerable software versions
PrestaShop: 1.4.4.1
External links
http://www.securityfocus.com/bid/50785
http://www.dognaedis.com/vulns/DGS-SEC-7.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
