PrestaShop CVE-2020-5279 vulnerability

Core

Score

6.5 Medium

Date publish

20-04-2020

Versiones afectadas

Less than 1.7.6.5

Description

In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5

References

https://github.com/PrestaShop/PrestaShop...

Patch Third Party Advisory github.com

https://github.com/PrestaShop/PrestaShop...

Patch Third Party Advisory github.com

https://github.com/PrestaShop/PrestaShop...

Patch Third Party Advisory

https://github.com/PrestaShop/PrestaShop...

Patch Third Party Advisory

Metrics

cvssMetricV31
source	security-advisories@github.com	nvd@nist.gov
type	Secondary	Primary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
baseScore	4.1	6.5
baseSeverity	MEDIUM	MEDIUM
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	LOW	NONE
userInteraction	REQUIRED	NONE
scope	CHANGED	UNCHANGED
confidentialityImpact	LOW	LOW
integrityImpact	NONE	LOW
availabilityImpact	NONE	NONE
exploitabilityScore	2.3	3.9
impactScore	1.4	2.5
cvssMetricV2
source	nvd@nist.gov
type	Primary
version	2.0
vectorString	AV:N/AC:L/Au:N/C:P/I:P/A:N
baseScore	6.4
accessVector	NETWORK
accessComplexity	LOW
authentication	NONE
confidentialityImpact	PARTIAL
integrityImpact	PARTIAL
availabilityImpact	NONE
baseSeverity	MEDIUM
exploitabilityScore	10
impactScore	4.9
acInsufInfo	False
obtainAllPrivilege	False
obtainUserPrivilege	False
obtainOtherPrivilege	False
userInteractionRequired	False