PrestaShop CVE-2018-5682 vulnerability

Core

Score

5.3 Medium

Date publish

13-01-2018

Versiones afectadas

Versions from 1.7.2.4 up to and including 1.7.2.4

Description

PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message.

References

http://forge.prestashop.com/browse/BOOM-...

Third Party Advisory mitre.org

http://forge.prestashop.com/browse/BOOM-...

Third Party Advisory

Metrics

cvssMetricV30
source	nvd@nist.gov
type	Primary
version	3.0
vectorString	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
baseScore	5.3
baseSeverity	MEDIUM
attackVector	NETWORK
attackComplexity	LOW
privilegesRequired	NONE
userInteraction	NONE
scope	UNCHANGED
confidentialityImpact	LOW
integrityImpact	NONE
availabilityImpact	NONE
exploitabilityScore	3.9
impactScore	1.4
cvssMetricV2
source	nvd@nist.gov
type	Primary
version	2.0
vectorString	AV:N/AC:L/Au:N/C:P/I:N/A:N
baseScore	5
accessVector	NETWORK
accessComplexity	LOW
authentication	NONE
confidentialityImpact	PARTIAL
integrityImpact	NONE
availabilityImpact	NONE
baseSeverity	MEDIUM
exploitabilityScore	10
impactScore	2.9
acInsufInfo	False
obtainAllPrivilege	False
obtainUserPrivilege	False
obtainOtherPrivilege	False
userInteractionRequired	False