sonice_etiquetage- PrestaShop module vulnerability (CVE-2023-45383)

Modulesonice_etiquetage

Score

7.5 High

Date publish

18-10-2023

Versiones afectadas

Up to and including 2.5.9

Description

In the module "SoNice etiquetage" (sonice_etiquetage) up to version 2.5.9 from Common-Services for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control and a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system.

References

https://common-services.com/fr/home-fr/

Product mitre.org

https://security.friendsofpresta.org/mod...

Patch Third Party Advisory mitre.org

https://common-services.com/fr/home-fr/

Product

https://security.friendsofpresta.org/mod...

Patch Third Party Advisory

Metrics

cvssMetricV31
source	nvd@nist.gov	134c704f-9b21-4f2e-91b3-4a467353bcc0
type	Primary	Secondary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
baseScore	7.5	7.5
baseSeverity	HIGH	HIGH
attackVector	NETWORK	NETWORK
attackComplexity	LOW	LOW
privilegesRequired	NONE	NONE
userInteraction	NONE	NONE
scope	UNCHANGED	UNCHANGED
confidentialityImpact	HIGH	HIGH
integrityImpact	NONE	NONE
availabilityImpact	NONE	NONE
exploitabilityScore	3.9	3.9
impactScore	3.6	3.6