Lucene search

GitHub_MCVELIST:CVE-2020-5270

HistoryApr 20, 2020 - 4:45 p.m.

CVE-2020-5270 Open redirection when using back parameter of PrestaShop

2020-04-2016:45:15

CWE-601

GitHub_M

www.cve.org

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

29.3%

JSON

In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5

CNA Affected

[
  {
    "product": "PrestaShop",
    "vendor": "PrestaShop",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.7.6.0, < 1.7.6.5"
      }
    ]
  }
]

References

github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458

github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc

4.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

29.3%

JSON

Related for CVELIST:CVE-2020-5270