ndk_advanced_custom_fields- PrestaShop module vulnerability (CVE-2022-40841)

Modulendk_advanced_custom_fields

Score

6.1 Medium

Date publish

21-12-2022

Versiones afectadas

Up to and including 3.5.0

Description

A cross-site scripting (XSS) vulnerability in NdkAdvancedCustomizationFields v3.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payloads injected into the "htmlNodes" parameter.

References

http://ndkadvancedcustomizationfields.co...

Broken Link URL Repurposed mitre.org

https://github.com/daaaalllii/cve-s/blob...

Exploit Third Party Advisory mitre.org

http://ndkadvancedcustomizationfields.co...

Broken Link URL Repurposed

https://github.com/daaaalllii/cve-s/blob...

Exploit Third Party Advisory

Metrics

cvssMetricV31
source	nvd@nist.gov	134c704f-9b21-4f2e-91b3-4a467353bcc0
type	Primary	Secondary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
baseScore	6.1	6.1
baseSeverity	MEDIUM	MEDIUM
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	NONE	NONE
userInteraction	REQUIRED	REQUIRED
scope	CHANGED	CHANGED
confidentialityImpact	LOW	LOW
integrityImpact	LOW	LOW
availabilityImpact	NONE	NONE
exploitabilityScore	2.8	2.8
impactScore	2.7	2.7