stripejs- PrestaShop module vulnerability (CVE-2023-23315)

Modulestripejs

Score

9.8 Critical

Date publish

01-03-2023

Versiones afectadas

  • Less than 4.5.5

Description

The PrestaShop e-commerce platform module stripejs contains a Blind SQL injection vulnerability up to version 4.5.5. The method `stripejsValidationModuleFrontController::initContent()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

References

https://friends-of-presta.github.io/secu...
Exploit Third Party Advisory mitre.org
https://friends-of-presta.github.io/secu...
Exploit Third Party Advisory

Metrics

cvssMetricV31
sourcenvd@nist.gov
typePrimary
version3.1
vectorStringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
baseScore9.8
baseSeverityCRITICAL
attackVectorNETWORK
attackComplexityLOW
privilegesRequiredNONE
userInteractionNONE
scopeUNCHANGED
confidentialityImpactHIGH
integrityImpactHIGH
availabilityImpactHIGH
exploitabilityScore3.9
impactScore5.9
Scroll al inicio