PrestaShop CVE-2020-26224 vulnerability
Core
Score
7.5 HighDate publish
16-11-2020Versiones afectadas
- Less than 1.7.6.9
Description
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9.References
Metrics
| cvssMetricV31 | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| source | security-advisories@github.com | nvd@nist.gov | |||||||||
| type | Secondary | Primary | |||||||||
| version | 3.1 | 3.1 | |||||||||
| vectorString | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |||||||||
| baseScore | 7.5 | 7.5 | |||||||||
| baseSeverity | HIGH | HIGH | |||||||||
| attackVector | NETWORK | NETWORK | |||||||||
| attackComplexity | LOW | LOW | |||||||||
| privilegesRequired | NONE | NONE | |||||||||
| userInteraction | NONE | NONE | |||||||||
| scope | UNCHANGED | UNCHANGED | |||||||||
| confidentialityImpact | HIGH | HIGH | |||||||||
| integrityImpact | NONE | NONE | |||||||||
| availabilityImpact | NONE | NONE | |||||||||
| exploitabilityScore | 3.9 | 3.9 | |||||||||
| impactScore | 3.6 | 3.6 | |||||||||
| cvssMetricV2 | |||||||||||
| source | nvd@nist.gov | ||||||||||
| type | Primary | ||||||||||
| version | 2.0 | ||||||||||
| vectorString | AV:N/AC:L/Au:N/C:P/I:N/A:N | ||||||||||
| baseScore | 5 | ||||||||||
| accessVector | NETWORK | ||||||||||
| accessComplexity | LOW | ||||||||||
| authentication | NONE | ||||||||||
| confidentialityImpact | PARTIAL | ||||||||||
| integrityImpact | NONE | ||||||||||
| availabilityImpact | NONE | ||||||||||
| baseSeverity | MEDIUM | ||||||||||
| exploitabilityScore | 10 | ||||||||||
| impactScore | 2.9 | ||||||||||
| acInsufInfo | False | ||||||||||
| obtainAllPrivilege | False | ||||||||||
| obtainUserPrivilege | False | ||||||||||
| obtainOtherPrivilege | False | ||||||||||
| userInteractionRequired | False | ||||||||||