PrestaShop CVE-2020-5270 vulnerability

Core

Score

6.1 Medium

Date publish

20-04-2020

Versiones afectadas

  • Less than 1.7.6.5

Description

In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5

References

https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory
https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory

Metrics

cvssMetricV31
sourcesecurity-advisories@github.comnvd@nist.gov
typeSecondaryPrimary
version3.13.1
vectorStringCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
baseScore4.16.1
baseSeverityMEDIUMMEDIUM
attackVectorNETWORKNETWORK
attackComplexityLOWLOW
privilegesRequiredLOWNONE
userInteractionREQUIREDREQUIRED
scopeCHANGEDCHANGED
confidentialityImpactLOWLOW
integrityImpactNONELOW
availabilityImpactNONENONE
exploitabilityScore2.32.8
impactScore1.42.7
cvssMetricV2
sourcenvd@nist.gov
typePrimary
version2.0
vectorStringAV:N/AC:M/Au:N/C:P/I:P/A:N
baseScore5.8
accessVectorNETWORK
accessComplexityMEDIUM
authenticationNONE
confidentialityImpactPARTIAL
integrityImpactPARTIAL
availabilityImpactNONE
baseSeverityMEDIUM
exploitabilityScore8.6
impactScore4.9
acInsufInfoFalse
obtainAllPrivilegeFalse
obtainUserPrivilegeFalse
obtainOtherPrivilegeFalse
userInteractionRequiredTrue
Scroll al inicio