PrestaShop CVE-2020-15080 vulnerability

Core

Score

5.3 Medium

Date publish

02-07-2020

Versiones afectadas

Less than 1.7.6.6

Description

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.

References

https://github.com/PrestaShop/PrestaShop...

Patch Third Party Advisory github.com

https://github.com/PrestaShop/PrestaShop...

Third Party Advisory github.com

https://github.com/PrestaShop/PrestaShop...

Patch Third Party Advisory

https://github.com/PrestaShop/PrestaShop...

Third Party Advisory

Metrics

cvssMetricV31
source	security-advisories@github.com	nvd@nist.gov
type	Secondary	Primary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
baseScore	5.3	5.3
baseSeverity	MEDIUM	MEDIUM
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	NONE	NONE
userInteraction	NONE	NONE
scope	UNCHANGED	UNCHANGED
confidentialityImpact	LOW	LOW
integrityImpact	NONE	NONE
availabilityImpact	NONE	NONE
exploitabilityScore	3.9	3.9
impactScore	1.4	1.4
cvssMetricV2
source	nvd@nist.gov
type	Primary
version	2.0
vectorString	AV:N/AC:L/Au:N/C:P/I:N/A:N
baseScore	5
accessVector	NETWORK
accessComplexity	LOW
authentication	NONE
confidentialityImpact	PARTIAL
integrityImpact	NONE
availabilityImpact	NONE
baseSeverity	MEDIUM
exploitabilityScore	10
impactScore	2.9
acInsufInfo	False
obtainAllPrivilege	False
obtainUserPrivilege	False
obtainOtherPrivilege	False
userInteractionRequired	False