PrestaShop CVE-2021-43789 vulnerability

Core

Score

9.8 Critical

Date publish

07-12-2021

Versiones afectadas

Versions from 1.7.5.0 up to but not including 1.7.8.2

Description

PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.

References

https://github.com/PrestaShop/PrestaShop...

Issue Tracking Third Party Advisory github.com

https://github.com/PrestaShop/PrestaShop...

Release Notes Third Party Advisory github.com

https://github.com/PrestaShop/PrestaShop...

Third Party Advisory github.com

https://github.com/PrestaShop/PrestaShop...

Issue Tracking Third Party Advisory

https://github.com/PrestaShop/PrestaShop...

Release Notes Third Party Advisory

https://github.com/PrestaShop/PrestaShop...

Third Party Advisory

Metrics

cvssMetricV31
source	security-advisories@github.com	nvd@nist.gov
type	Secondary	Primary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
baseScore	7.5	9.8
baseSeverity	HIGH	CRITICAL
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	NONE	NONE
userInteraction	NONE	NONE
scope	UNCHANGED	UNCHANGED
confidentialityImpact	HIGH	HIGH
integrityImpact	NONE	HIGH
availabilityImpact	NONE	HIGH
exploitabilityScore	3.9	3.9
impactScore	3.6	5.9
cvssMetricV2
source	nvd@nist.gov
type	Primary
version	2.0
vectorString	AV:N/AC:L/Au:N/C:P/I:P/A:P
baseScore	7.5
accessVector	NETWORK
accessComplexity	LOW
authentication	NONE
confidentialityImpact	PARTIAL
integrityImpact	PARTIAL
availabilityImpact	PARTIAL
baseSeverity	HIGH
exploitabilityScore	10
impactScore	6.4
acInsufInfo	False
obtainAllPrivilege	False
obtainUserPrivilege	False
obtainOtherPrivilege	False
userInteractionRequired	False