productcomments- PrestaShop module vulnerability (CVE-2020-26225)
Moduleproductcomments
Score
8.7 HighDate publish
16-11-2020Versiones afectadas
- Versions from 4.0.0 up to but not including 4.2.0
Description
In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The problem was introduced in version 4.0.0 and is fixed in 4.2.0References
Metrics
| cvssMetricV31 | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| source | security-advisories@github.com | nvd@nist.gov | |||||||||
| type | Secondary | Primary | |||||||||
| version | 3.1 | 3.1 | |||||||||
| vectorString | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | |||||||||
| baseScore | 8.7 | 6.1 | |||||||||
| baseSeverity | HIGH | MEDIUM | |||||||||
| attackVector | NETWORK | NETWORK | |||||||||
| attackComplexity | LOW | LOW | |||||||||
| privilegesRequired | LOW | NONE | |||||||||
| userInteraction | REQUIRED | REQUIRED | |||||||||
| scope | CHANGED | CHANGED | |||||||||
| confidentialityImpact | HIGH | LOW | |||||||||
| integrityImpact | HIGH | LOW | |||||||||
| availabilityImpact | NONE | NONE | |||||||||
| exploitabilityScore | 2.3 | 2.8 | |||||||||
| impactScore | 5.8 | 2.7 | |||||||||
| cvssMetricV2 | |||||||||||
| source | nvd@nist.gov | ||||||||||
| type | Primary | ||||||||||
| version | 2.0 | ||||||||||
| vectorString | AV:N/AC:M/Au:N/C:N/I:P/A:N | ||||||||||
| baseScore | 4.3 | ||||||||||
| accessVector | NETWORK | ||||||||||
| accessComplexity | MEDIUM | ||||||||||
| authentication | NONE | ||||||||||
| confidentialityImpact | NONE | ||||||||||
| integrityImpact | PARTIAL | ||||||||||
| availabilityImpact | NONE | ||||||||||
| baseSeverity | MEDIUM | ||||||||||
| exploitabilityScore | 8.6 | ||||||||||
| impactScore | 2.9 | ||||||||||
| acInsufInfo | False | ||||||||||
| obtainAllPrivilege | False | ||||||||||
| obtainUserPrivilege | False | ||||||||||
| obtainOtherPrivilege | False | ||||||||||
| userInteractionRequired | True | ||||||||||