VDB
KO
HIGH 7.7

GHSA-8r4m-5p6p-52rp

Arbitrary file read via SQL injection

Details

### Impact It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD_FILE in a SELECT request. So It can access to critical information.

### Patches The patch will be on PS 8.0.4 and PS 1.7.8.9

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / prestashop/prestashop
Introduced in: 8.0.0 Fixed in: 8.0.4
Fix composer require prestashop/prestashop:^8.0.4
Packagist / prestashop/prestashop
Introduced in: 0 Fixed in: 1.7.8.9
Fix composer require prestashop/prestashop:^1.7.8.9

References