PrestaShop CVE-2020-15162 vulnerability

Core

Score

5.4 Medium

Date publish

24-09-2020

Versiones afectadas

  • Versions from 1.5.0.0 up to but not including 1.7.6.8

Description

In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.

References

https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Exploit Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory
https://github.com/PrestaShop/PrestaShop...
Third Party Advisory
https://github.com/PrestaShop/PrestaShop...
Exploit Third Party Advisory

Metrics

cvssMetricV31
sourcesecurity-advisories@github.comnvd@nist.gov
typeSecondaryPrimary
version3.13.1
vectorStringCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
baseScore5.45.4
baseSeverityMEDIUMMEDIUM
attackVectorNETWORKNETWORK
attackComplexityHIGHLOW
privilegesRequiredNONELOW
userInteractionNONEREQUIRED
scopeCHANGEDCHANGED
confidentialityImpactLOWLOW
integrityImpactLOWLOW
availabilityImpactNONENONE
exploitabilityScore2.22.3
impactScore2.72.7
cvssMetricV2
sourcenvd@nist.gov
typePrimary
version2.0
vectorStringAV:N/AC:M/Au:S/C:N/I:P/A:N
baseScore3.5
accessVectorNETWORK
accessComplexityMEDIUM
authenticationSINGLE
confidentialityImpactNONE
integrityImpactPARTIAL
availabilityImpactNONE
baseSeverityLOW
exploitabilityScore6.8
impactScore2.9
acInsufInfoFalse
obtainAllPrivilegeFalse
obtainUserPrivilegeFalse
obtainOtherPrivilegeFalse
userInteractionRequiredTrue
Scroll al inicio