Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack.

In the module “My inventory” (myinventory) from Webbax for PrestaShop, a guest can download personnal informations without restriction by performing a path traversal attack.

**Summary**

*   **CVE ID**: CVE-2023-30197
*   **Published at**: 2023-05-30
*   **Platform**: PrestaShop
*   **Product**: myinventory
*   **Impacted release**: <= 1.6.6 (1.6.7 fixed the vulnerability)
*   **Product author**: Webbax
*   **Weakness**: CWE-22
*   **Severity**: high (7.5), GDPR violation

**Description**

Due to a lack of permissions’s control and a lack of control in the path name’s construction, a guest can perform a path traversal to view all files on the information system.

WARNING : We are forced to tag it as a medium gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this : https://github.com/PrestaShop/PrestaShop/blob/6c05518b807d014ee8edb811041e3de232520c28/classes/Tools.php#L1247.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: none
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Possible malicious usage**

*   Stealing secrets to unlock admin controllers based on ajax script
*   Exfiltrate all modules with all versions to facilited pentesting
*   Stealing table\_prefix to greatly facilitate SQL injections for kiddies who don’t known how exploit DBMS design’s vulnerabilities or stealing database access to login in exposed PHPMyAdmin/Adminer/etc.
*   Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictible paths of banks’s modules inside /var/log/)

**Patch from 1.6.6**

    --- 1.6.6/modules/myinventory/downloads/download.php
    +++ 1.6.7/modules/myinventory/downloads/download.php
    - $file = Tools::getValue('file');
    + $file = basename(Tools::getValue('file')).'.csv';
    
    +if((strpos($file, './') === false) && substr($file,-4) == '.csv'){
    ...
    +}
    

**Other recommandations**

*   You should consider to restrict the access of modules/myinventory/ to a whitelist or delete the module
*   NEVER exposed a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
*   Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your Prestashop

**Timeline**

Date

Action

2023-02-25

Issue discovered during a code review by TouchWeb.fr

2023-02-25

Contact Author

2023-02-27

Author confirm alert’s read

2023-04-24

Received CVE ID

2023-05-02

Author publish a new version which fix the leak

2023-05-30

Publish this security advisory

**Links**

*   Author download page
*   National Vulnerability Database

CVE-2023-30197: [CVE-2023-30197] Improper Limitation of a Pathname to a Restricted Directory in Webbax - My inventory module for PrestaShop

SQL Injection vulnerability found in Fighting Cock Information System v.1.0 allows a remote attacker to obtain sensitive information via the edit_breed.php parameter.

Submitted by chrisjelo on Tuesday, April 6, 2021 - 16:57.

The **Fighting Cock Information System** coordinates and integrates all essentials activities involved in running a fighting cock farm. The system had specified security and functionality standards for managing records and information. The primary purpose was to automate breeding, render timely services to each stage of chicken, maintained records and conditioning programs to make data retrieval easy and efficient.

The **Fighting Cock Information System (FCIS)** provides the fighting cock farm handler to deliver services efficiently and effectively. It provides the primary function of the system such as recording, monitoring, and managing records from breeding up to deployment stage which was the fighting cock. The system schedules the activity to be done by the handler such as feeding, immunization, vaccination, and deworming. The system could generate reports on the bloodline, the actions done, and the total number of chickens. The system has a conditioning program that was a special module for the chicken to be deployed in a cockfight.

In this system, stages of chicken could be classified as chicks, stag, bull stag, and cock. Furthermore, the system could generate alerts if the chicken could be transferred in a predefined stage or age. Also, the system supports the farm by providing a database that would hold all the data related to Information System, making it safe from natural risk, inconsistencies, and error.

**Login page:**

**Admin dashboard:**

**Sample pages:**

****Features****

*   **Login/Logout**
*   **Dashboard**
*   **Manage Breeding List**
    *   **Sire**
    *   **Dam**
    *   **Breed**
    *   **Mating Information**
*   **Manage Services**
    *   **Deworming**
    *   **Vaccination**
    *   **Immunization**
    *   **Feeding**
*   **Manage Records**
    *   **Fowl Information**
    *   **Chicks**
    *   **Stags**
    *   **Bull Stags**
    *   **Fighting Cocks**
*   **Manage Conditioning program**
*   **Generates Reports**

****How to Run****

**Requirements**

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

**Installation/Setup**

1.  **Open** your **XAMPP/WAMP's Control Panel** and start the **"Apache"** and **"MySQL"**.
2.  **Extract** the **downloaded source code file**.
3.  If you are using **XAMPP**, **copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**. And If you are using **WAMP**, **paste** it into the **"www" directory.**
4.  **Browse** the **PHPMyAdmin** in a **browser**. i.e. **http://localhost/phpmyadmin**
5.  **Create** a **new database** naming **"breeders"**.
6.  **Import** the provided **SQL** file. The file is known as **"breeders.sql"** located inside the **"db"** folder.
7.  **Browse** the Web Application in a **browser**. i.e. **http://localhost/FCIS**

****Credential****

Admin account:  
Username: **admin**  
Password: **admin**

****Demo****

That's it! I hope this **Fighting Cock Information System** will help you with what you are looking for.

For more information about this system. You can contact me @  
**Email** – \[email protected\]  
**Mobile No.**: 09121067791(TNT)  
**FB Account** – https://www.facebook.com/chrisjelo

**Enjoy :)**

*   4109 views

CVE-2021-31233: Fighting Cock Information System using PHP with Source Code

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.14.

CVE-2023-2998: huntr – Security Bounties for any GitHub repository

CVE-2023-2999: huntr – Security Bounties for any GitHub repository

A vulnerability was found in BestWebSoft Twitter Plugin up to 2.14 on WordPress. It has been classified as problematic. Affected is the function twttr_settings_page of the file twitter.php of the component Settings Page. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. Upgrading to version 2.15 is able to address this issue. The name of the patch is a6d4659cbb2cbf18ccb0fb43549d5113d74e0146. It is recommended to upgrade the affected component. VDB-230154 is the identifier assigned to this vulnerability.

@@ -0,0 +1,136 @@ msgid "" msgstr "" "Project-Id-Version: twitter\\n" "Report-Msgid-Bugs-To: \\n" "POT-Creation-Date: 2012-07-24 20:03+0300\\n" "PO-Revision-Date: 2012-07-24 20:03+0300\\n" "Last-Translator: zos <zos@bestwebsoft.com>\\n" "Language-Team: Albayan Design Hani Aladoli <info@albayan-design.com>\\n" "Language: \\n" "MIME-Version: 1.0\\n" "Content-Type: text/plain; charset=UTF-8\\n" "Content-Transfer-Encoding: 8bit\\n" "X-Poedit-KeywordsList: \_\_;\_e\\n" "X-Poedit-Basepath: ..\\n" "X-Poedit-Language: arabic\\n" "X-Poedit-Country: libya\\n" "X-Poedit-SourceCharset: utf-8\\n" "X-Poedit-SearchPath-0: .\\n"  
#: twitter.php:80 msgid "Activated plugins" msgstr "الاضافات المفعلة "  
#: twitter.php:82 #: twitter.php:90 #: twitter.php:98 msgid "Read more" msgstr "اقراء المزيد"  
#: twitter.php:82 #: twitter.php:245 #: twitter.php:254 msgid "Settings" msgstr "الاعدادت "  
#: twitter.php:88 msgid "Installed plugins" msgstr "الاضافات المركبة"  
#: twitter.php:96 msgid "Recommended plugins" msgstr "اضافات موصي بها"  
#: twitter.php:98 msgid "Download" msgstr "تحميل"  
#: twitter.php:98 #, php-format msgid "Install %s" msgstr "تركيب %s"  
#: twitter.php:98 msgid "Install now from wordpress.org" msgstr "نزلها الان من wordpress.org"  
#: twitter.php:100 msgid "If you have any questions, please contact us via plugin@bestwebsoft.com or fill in our contact form on our site" msgstr "اذا كان لديك اي استفسار او سؤال الرجاء الاتصال بنا عبر بريدنا الالكتروني : contact us via plugin@bestwebsoft.com , او المراسلة الفورية من واجهة الاتصال بنا علي موقعنا الخاص"  
#: twitter.php:131 #: twitter.php:153 msgid "Twitter Options" msgstr "خيارات التويتر"  
#: twitter.php:131 msgid "Twitter" msgstr "التويتر"  
#: twitter.php:149 msgid "Options saved." msgstr "تم حفظ الخيارات"  
#: twitter.php:160 msgid "Settings for the button \\"Follow Me\\":" msgstr "اعدادات زر \\"Follow Me\\":"  
#: twitter.php:164 msgid "Enter your username:" msgstr "اكتب اسم المستخدم :"  
#: twitter.php:168 msgid "If you do not have Twitter account yet you need to create it using this link" msgstr "اذا كنت لا تملك حساب علي التويتر يمكنك انشاء حساب جديد عبر هذه الرابط"  
#: twitter.php:169 msgid "Put a shortcode \[follow\_me\] on necessary page or post to use \\"Follow Me\\" button." msgstr "ضع هذه الكود \[follow\_me\]في الصفحات المطلوبه او في المواضيع \\"Follow Me\\" زر."  
#: twitter.php:170 msgid "If you would like to utilize this button in another place, please put strings below into the template source code" msgstr "إذا كنت ترغب في الاستفادة من هذا الزر في مكان آخر، يرجي وضع الاعدادات في الاسفل ( مربع الكود )"  
#: twitter.php:174 msgid "Settings for the button \\"Twitter\\":" msgstr "اعدادات لهذه الزر \\"Twitter\\":"  
#: twitter.php:178 msgid "Choose a position for an icon \\"Twitter\\":" msgstr "اختار مكان لوضع ايقونه \\"Twitter\\":"  
#: twitter.php:181 msgid "Top position" msgstr "في الاعلي "  
#: twitter.php:182 msgid "Bottom position" msgstr "في الاسفل"  
#: twitter.php:183 msgid "When clicking this sign a user adds to their twitter page article that they liked along with a link to it." msgstr "عند النقر على هذا العلامة على أن يضيف المستخدم إلى صفحة مقالتهم في تويتر مع روابطها"  
#: twitter.php:188 msgid "Save Changes" msgstr "حفظ الاعدادت"  
#: twitter.php:224 msgid "Click here if you liked this article." msgstr "اضغط هنا اذا اعجبك هذه المقال"  
#: twitter.php:255 msgid "FAQ" msgstr "أسئلة وأجوبة"  
#: twitter.php:256 msgid "Support" msgstr "الدعم"  
#~ msgid "BWS Plugins" #~ msgstr "Плагины BWS" #~ msgid "Install Now" #~ msgstr "Установить сейчас" #~ msgid "Twitter options" #~ msgstr "Опции Twitter"

CVE-2012-10015: V2.15 - Arabic language file is added to the plugin. Cross Site Reque… · wp-plugins/twitter-plugin@a6d4659

Leantime is a lean open source project management system. Starting in version 2.3.21, an authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes. As of time of publication, a patch does not exist.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

*   Notifications
*   Fork 402

*   Code
*   Issues 166
*   Pull requests
*   Discussions
*   Actions
*   Projects 2
*   Security
*   Insights

**Package**

app/domain/comments/services/class.comments.php (Leantime)

**Affected versions**

all versions => 2.3.21

**Description**

**Summary**

An authenticated user with commenting privileges can inject malicious Javascript into a comment. Once the malicious comment is loaded in the browser by a user, the malicious Javascript code executes.

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

**Weaknesses**

CVE-2023-33961: Stored XSS Vulnerability

BlueCMS v1.6 was discovered to contain a SQL injection vulnerability via the keywords parameter at search.php.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-33734: GitHub - Peanuts-s/BlueCms

Papaya Medical Viewer version 1.0 suffers from a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Title  
=====

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status  
======

PUBLISHED

Version  
=======

1.0

CVE reference  
=============

CVE-2023-33255

Link  
====

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:  
https://www.schutzwerk.com/blog/tags/advisories/

Affected products/vendor  
========================

Papaya, Research Imaging Institute - University of Texas Health Science   
Center

Summary  
=======

User supplied input in the form of DICOM or NIFTI images can be loaded   
into the  
Papaya web application without any kind of sanitization. This allows to   
inject  
arbitrary JavaScript code into the image's metadata which will in   
consequence be  
executed as soon as the metadata is displayed in the Papaya web application.

Risk  
====

The vulnerability allows an attacker to inject arbitrary JavaScript code   
into  
the Papaya web application. A risk calculation highly depends on how the   
Papaya  
software is used as a library in the context of a bigger medical web  
application. During the discovery of this vulnerability, the web application  
which used Papaya allowed to upload and store corresponding images on   
the web  
server and display them to multiple users. It was therefore possible to   
store  
JavaScript code on the server and attack users to impersonate or steal their  
session, leading to a disclosure of sensitive medical data.

Description  
===========

A medical web application assessed for security vulnerabilities by   
SCHUTZWERK  
was found to contain a stored cross-site-scripting vulnerability. The  
application uses the Papaya JavaScript software[0] published by the Research  
Imaging Institute belonging to the University of Texas Health Science   
Center[1].

The software is described as "[..] a pure JavaScript medical research image  
viewer, supporting DICOM and NIFTI formats, compatible across a range of web  
browsers [..]". It can be used stand-alone or integrated into larger medical  
applications, has 192 forks and 488 stars on GitHub and was used in at   
least 50  
published academic research papers[2].

One of the main features is to open medical images of multiple formats,   
which  
can be achieved via the context menu "File - Add image...". Papaya then   
displays  
the image and adds a new icon in the upper right corner of the viewer.   
This icon  
allows to open another context menu to edit the previous opened image as   
a layer  
in multiple ways. The option of interest for the cross-site-scripting  
vulnerability is the "Show Header" entry, which allows getting further  
information about the medical image.

An example DICOM[3] zip archive was downloaded[4], extracted and opened in  
Papaya. The "Show Header" function shows multiple entries including private  
patient data fields like patient ID, name, date of birth and gender.

The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create   
and edit  
DICOM images. The metadata field "Manufacturer" of the previously downloaded  
DICOM image was edited with help of the DCMTK tool dcmodify:

DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m  
"Manufacturer=<script>alert(1)</script>" 2_skull_ct/DICOM/I0

The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:

dcmdump 2_skull_ct/DICOM/I0

[..]  
# Dicom-Data-Set  
[..] (0008,0070) LO [<script>alert(1)</script>]              #  26, 1   
Unknown  
Tag & Data [..]

Viewing the header information of the manipulated DICOM image in Papaya   
executes  
the injected JavaScript code in the web browser.

SCHUTZWERK decided to publish the still existing vulnerability (commit   
4a42701),  
since the vendor did not implement any remediation several months after new  
contributors have been introduced to the project.

Solution/Mitigation  
===================

Several mitigation recommendations have been sent to the vendor. These   
include  
common mitigation strategies from OWASP[6], like escaping user   
controlled input  
and the usage of popular JavaScript libraries like DomPurify[7].

As a quick workaround, the context menu, which allows showing header   
information  
can be disabled by setting the variable kioskMode to true.

Disclosure timeline  
===================

2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to  
             vendor  
2020-09-30: Contacted vendor again  
2020-09-30: Vendor responds and asks for mitigation ideas  
2020-10-01: Response to vendor with detailed information and mitigation   
ideas  
2020-11-09: Contacted vendor again for any status updates  
2022-08-30: Retest of the customer application including the Papaya web  
             application  
2022-09-21: Notified vendor of intention to publish advisory  
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will   
maintain the  
             project  
2023-04-19: Informed vendor about publication deadline on May 15, 2023  
2023-05-08: Vendor replied with intention to fix vulnerability until May   
15,2023  
2023-05-15: Vulnerability fixed by vendor  
2023-05-26: Advisory published by SCHUTZWERK

Contact/Credits  
===============

The vulnerability was discovered during an assessment by Lennert Preuth of  
SCHUTZWERK GmbH.

References  
==========

[0] https://github.com/rii-mango/Papaya  
[1] https://rii.uthscsa.edu/  
[2] http://mangoviewer.com/pubs.html  
[3] https://en.wikipedia.org/wiki/DICOM  
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/  
[5] https://dicom.offis.de/dcmtk.php.de  
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_  
     Prevention_Cheat_Sheet.html  
[7] https://github.com/cure53/DOMPurify

Disclaimer  
==========

The information in this security advisory is provided "as is" and without  
warranty of any kind. Details of this security advisory may be updated   
in order  
to provide as accurate information as possible. The most recent version   
of this  
security advisory can be found at SCHUTZWERK GmbH's website.  
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP  
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO  
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP  
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw  
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE  
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa  
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4  
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+  
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l  
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/  
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp  
4bKAQKWvxQG8GpbKuQT4on0=  
=IEuk  
-----END PGP SIGNATURE-----

--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz

Papaya Medical Viewer 1.0 Cross Site Scripting

PrinterLogic build version 1.0.757 suffers from authentication bypass, cross site request forgery, cross site scripting, session fixation, insufficient checks, impersonation, remote SQL injection, and various other vulnerabilities.

PrinterLogic Build 1.0.757 XSS / SQL Injection / Authentication Bypass

Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.

In the module “Sales Booster” (salesbooster) from Webbax, a guest can download personnal informations without restriction.

**Summary**

*   **CVE ID**: CVE-2023-30196
*   **Published at**: 2023-05-22
*   **Platform**: PrestaShop
*   **Product**: salesbooster
*   **Impacted release**: <= 1.10.4 (1.10.5 fixed the vulnerability)
*   **Product author**: Webbax
*   **Weakness**: CWE-22
*   **Severity**: high (7.5)

**Description**

Due to predictible token and a lack of control in the path name’s construction, a guest can perform a path traversal to view all files on the information system.

Note : We are forced to tag it as a high gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: none
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Possible malicious usage**

*   Stealing secrets to unlock admin controllers based on ajax script
*   Exfiltrate all modules with all versions to facilited pentesting
*   Stealing table\_prefix to greatly facilitate SQL injections for kiddies who don’t known how exploit DBMS design’s vulnerabilities or stealing database access to login in exposed PHPMyAdmin / Adminer / etc.
*   Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictible paths of banks’s modules inside /var/log/)

**Patch from 1.10.4**

    --- 1.10.4/modules/salesbooster/downloads/download.php
    +++ 1.10.5/modules/salesbooster/downloads/download.php
    ...
    -$file = Tools::getValue('file');
    +$file = basename(Tools::getValue('file')).'.txt';
    +if((strpos($file, './') === false) && substr($file,-4) == '.txt'){
    ...
    +}
    ...
    

**Other recommandations**

*   It’s recommended to upgrade to the latest version of the module **salesbooster**.
*   Update the configuration SALESBOOSTER\_TOKEN in your ps\_configuration table with a string not predictible - **be warned that the patch provided by author still suffer of a predictible security token mecanism.**
*   You should consider to restrict the access of modules/salesbooster/ to a whitelist
*   NEVER exposed a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
*   Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your Prestashop

**Timeline**

Date

Action

2023-02-25

Issue discovered during a code review by TouchWeb.fr

2023-02-25

Contact Author

2023-02-25

Request a CVE ID

2023-02-27

Author confirm alert’s read

2023-04-24

Received CVE ID

2023-05-02

Author publish a new version which fix the leak

2023-05-22

Publish this security advisory

**Links**

*   Author download page
*   Usefull Author advices - French
*   National Vulnerability Database

Tag

#php