IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
[CVE-2024-6648] Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0
Ap Page Builder is vulnerable to an absolute path traversal that allows the attacker to include system files by modifying the base64 config param submitted to apajax.php
Summary
- CVE ID: CVE-2024-6648
- Published at: 2025-05-08
- Advisory source: Incibe cert
- Platform: PrestaShop
- Product: Ap Page Builder
- Impacted release: < 4.0.0
- Product author: Apollo Theme
- Weakness: CWE-36
- Severity: high (8.7)
Description
Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0 could allow an unauthenticated remote user to modify the ‘product_item_path’ within the ‘config’ JSON file, allowing them to read any file on the system.
WARNING : This exploit uses a Base64 payload, which may bypass most WAFs.
Be aware that it’s possible to obfuscate a Base64 string using special characters to evade detection - the base64_decode() function in PHP will silently strip them out.
For example, the following is a perfectly valid Base64 input for base64_decode: Li4$vLi4-vY#XBwL–2NvbmZpZy9wYXJhb-WV0Z$XJzLnB$ocA==
If you’re using ModSecurity 2, prefer base64DecodeExt over base64Decode to mitigate this technique.
CVSS base metrics
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): None
- User Interaction (UI): None
- Confidentiality (VC): High
- Integrity (VI): None
- Availability (VA): None
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Proof of concept
POC has been published by n0d0n : https://github.com/n0d0n/CVE-2024-6648/blob/main/CVE-2024-6648.yaml
curl -v "https://preprod.X/modules/appagebuilder/apajax.php?config=eyJvcmRlcl9ieSI6ImlkX3Byb2R1Y3QiLCJuYl9wcm9kdWN0cyI6IjIiLCJ0b3RhbF9wYWdlIjoxLCAicHJvZHVjdF9pdGVtX3BhdGgiOiAiY29uZmlnLnhtbCIsICJjb2x1bW5zIjogMX0%3d&p=1"
Patch
See this : Help Center - PrestaShop
Timeline
| Date | Action |
|---|---|
| 2024-07-15 | Incibe report the vulnerability |
| 2024-08-16 | Due to the severity of the vulnerability, the large number of affected themes (over 2,000) across multiple marketplaces, and the time required for the module author to patch all of them, TouchWeb requests a one-year delay before public disclosure. |
| 2024-10-16 | Incibe accept a 9 months delay |
| 2025-05-08 | Incibe publish the vulnerability |
| 2025-05-08 | n0d0n publish the POC |
Links
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
