ps_emailsubscription- PrestaShop module vulnerability (CVE-2021-21418)

Moduleps_emailsubscription

Score

5.4 Medium

Date publish

31-03-2021

Versiones afectadas

  • Versions from 2.6.0 up to but not including 2.6.1

Description

ps_emailsubscription is a newsletter subscription module for the PrestaShop platform. An employee can inject javascript in the newsletter condition field that will then be executed on the front office The issue has been fixed in 2.6.1

References

https://github.com/PrestaShop/ps_emailsu...
Patch Third Party Advisory github.com
https://github.com/PrestaShop/ps_emailsu...
Release Notes Third Party Advisory github.com
https://github.com/PrestaShop/ps_emailsu...
Third Party Advisory github.com
https://packagist.org/packages/prestasho...
Third Party Advisory github.com
https://github.com/PrestaShop/ps_emailsu...
Patch Third Party Advisory
https://github.com/PrestaShop/ps_emailsu...
Release Notes Third Party Advisory
https://github.com/PrestaShop/ps_emailsu...
Third Party Advisory
https://packagist.org/packages/prestasho...
Third Party Advisory

Metrics

cvssMetricV31
sourcesecurity-advisories@github.comnvd@nist.gov
typeSecondaryPrimary
version3.13.1
vectorStringCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
baseScore4.65.4
baseSeverityMEDIUMMEDIUM
attackVectorNETWORKNETWORK
attackComplexityLOWLOW
privilegesRequiredLOWLOW
userInteractionREQUIREDREQUIRED
scopeUNCHANGEDCHANGED
confidentialityImpactLOWLOW
integrityImpactLOWLOW
availabilityImpactNONENONE
exploitabilityScore2.12.3
impactScore2.52.7
cvssMetricV2
sourcenvd@nist.gov
typePrimary
version2.0
vectorStringAV:N/AC:M/Au:S/C:N/I:P/A:N
baseScore3.5
accessVectorNETWORK
accessComplexityMEDIUM
authenticationSINGLE
confidentialityImpactNONE
integrityImpactPARTIAL
availabilityImpactNONE
baseSeverityLOW
exploitabilityScore6.8
impactScore2.9
acInsufInfoFalse
obtainAllPrivilegeFalse
obtainUserPrivilegeFalse
obtainOtherPrivilegeFalse
userInteractionRequiredTrue
Scroll al inicio