Skip to main content

PHPInfo Exposure in MyPrestaModules Modules CVE-2023-39677

Two modules that we tested by MyPrestaModules have a vulnerability where PHPInfo is exposed to an unauthenticated attacker. The modules SimpleImportProduct and UpdateProducts contain a file called send.php that has the following code snippet:

    if ( Tools::getValue('phpinfo') ){  

This exposes PHPInfo information which is useful to an attacker and it requires no authentication to exploit. This was reported to MyPrestaModules and a patch was released.


Date Action
10/07/2023 Issue discovered during a pentest
12/07/2023 Reported issue to MyPrestaModules
29/07/2023 Requested CVE from MITRE
??/08/2023 Patch released
28/08/2023 Number CVE-2023-39677 assigned
07/09/2023 Blog post and nuclei template released