CVE-2022-45448

EPSS 0.06%
Veröffentlicht 20.09.2023 13:15:11
Zuletzt bearbeitet 21.11.2024 07:29:16
Quelle cve-coordination@incibe.es
CVE-Watchlists
Login
Unerledigt
Login

Cross-site Scripting in M4 PDF plugin for Prestashop sites

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Prestashop ≫ M4 Pdf SwPlatformprestashop Version <= 3.2.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.194

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cve-coordination@incibe.es	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-45448

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-45448

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-45448

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-45448