Miggo Logo
Miggo Vulnerability Database
CVE-2025-61923

CVE-2025-61923: PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure

4.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-61923
GHSA ID
GHSA-fpxp-pfqm-x54w
EPSS Score
-
CWE
CWE-22
Published
10/16/2025
Updated
10/16/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/ps_checkoutcomposer< 4.4.14.4.1
prestashop/ps_checkoutcomposer>= 5.0.0, < 5.0.55.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic directory traversal issue within the PrestaShop Checkout module\

Vulnerable functions

AdminAjaxPrestashopCheckoutController::ajaxProcessGetLogs
ps17/controllers/admin/AdminAjaxPrestashopCheckoutController.php
The function `ajaxProcessGetLogs` in `AdminAjaxPrestashopCheckoutController` is vulnerable to directory traversal. It retrieves the 'file' parameter from the user request and uses it to construct a file path for reading log files. The initial validation using `Validate::isFileName` was insufficient to prevent path traversal attacks (e.g., using '../'). An attacker could provide a malicious filename to read arbitrary files on the server. The patch delegates the validation to the `LoggerFileReader::read` method, which implements stricter checks.
AdminAjaxPrestashopCheckoutController::ajaxProcessDownloadLogs
ps17/controllers/admin/AdminAjaxPrestashopCheckoutController.php
Similar to `ajaxProcessGetLogs`, the `ajaxProcessDownloadLogs` function in `AdminAjaxPrestashopCheckoutController` is also vulnerable to directory traversal. It takes a 'file' parameter from the user to download a log file. The original code had weak validation for the filename. The patch introduces a call to the new `validateFilename` method in `LoggerFileReader`, which properly sanitizes the input and prevents directory traversal.
LoggerFileReader::read
infrastructure/src/Logger/LoggerFileReader.php
The `read` function in `LoggerFileReader` was modified to accept a filename string instead of a `SplFileObject`. The older version was implicitly trusted the input came from a safe source. The new version now performs validation on the filename via the `validateParams` method, which prevents directory traversal attacks. The old version of this function was a key part of the vulnerability, as it was responsible for accessing the file system without proper validation of the path.

WAF Protection Rules

WAF Rule

# Imp**t Missin* v*li**tion on input vuln*r**l* to *ir**tory tr*v*rs*l. # P*t***s T** pro*l*m **s ***n p*t**** in v*rsions: v*.*.* *or Pr*st*S*op *.* (*uil* num**r: *.*.*.*) v*.*.* *or Pr*st*S*op * (*uil* num**r: *.*.*.*) v*.*.* *or Pr*st*S*op *.*

Reasoning

T** vuln*r**ility is * *l*ssi* *ir**tory tr*v*rs*l issu* wit*in t** Pr*st*S*op ****kout mo*ul*\