PrestaShop CVE-2022-21686 vulnerability

Core

Score

9.8 Critical

Date publish

26-01-2022

Versiones afectadas

  • Versions from 1.7.0.0 up to and including 1.7.8.3

Description

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

References

https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Release Notes Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Third Party Advisory github.com
https://github.com/PrestaShop/PrestaShop...
Patch Third Party Advisory
https://github.com/PrestaShop/PrestaShop...
Release Notes Third Party Advisory
https://github.com/PrestaShop/PrestaShop...
Third Party Advisory

Metrics

cvssMetricV31
sourcesecurity-advisories@github.comnvd@nist.gov
typeSecondaryPrimary
version3.13.1
vectorStringCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
baseScore99.8
baseSeverityCRITICALCRITICAL
attackVectorNETWORKNETWORK
attackComplexityHIGHLOW
privilegesRequiredNONENONE
userInteractionNONENONE
scopeCHANGEDUNCHANGED
confidentialityImpactHIGHHIGH
integrityImpactHIGHHIGH
availabilityImpactHIGHHIGH
exploitabilityScore2.23.9
impactScore65.9
cvssMetricV2
sourcenvd@nist.gov
typePrimary
version2.0
vectorStringAV:N/AC:L/Au:N/C:P/I:P/A:P
baseScore7.5
accessVectorNETWORK
accessComplexityLOW
authenticationNONE
confidentialityImpactPARTIAL
integrityImpactPARTIAL
availabilityImpactPARTIAL
baseSeverityHIGH
exploitabilityScore10
impactScore6.4
acInsufInfoFalse
obtainAllPrivilegeFalse
obtainUserPrivilegeFalse
obtainOtherPrivilegeFalse
userInteractionRequiredFalse
Scroll al inicio