Miggo Logo
Miggo Vulnerability Database
CVE-2024-26129

CVE-2024-26129: Path disclosure in JavaScript variable

5.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-26129
GHSA ID
GHSA-3366-9287-7qpr
EPSS Score
0.51973%
CWE
CWE-22
Published
2/21/2024
Updated
2/21/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/prestashopcomposer>= 8.1.0, < 8.1.48.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the getThemeDir() method in FrontController.php returning an absolute server path that was subsequently exposed in JavaScript variables. The patch replaced this method call with the THEME_DIR constant, which likely represents a relative path or sanitized value. The commit diff explicitly shows this function was the source of the path disclosure, and the CWE-22 classification confirms it's a path information exposure issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t P*t* *is*losur* in J*v*S*ript v*ri**l* ### P*t***s P*t** in Pr*st*S*op *.*.* ### R***r*n**s *ttps://ow*sp.or*/www-*ommunity/*tt**ks/*ull_P*t*_*is*losur* T**nks to *ttps://*it*u*.*om/*u*o-**son*

Reasoning

T** vuln*r**ility st*ms *rom t** **tT**m**ir() m*t*o* in *ront*ontroll*r.p*p r*turnin* *n **solut* s*rv*r p*t* t**t w*s su*s*qu*ntly *xpos** in J*v*S*ript v*ri**l*s. T** p*t** r*pl**** t*is m*t*o* **ll wit* t** _T**M*_*IR_ *onst*nt, w*i** lik*ly r*pr