Lucene search

GitHub_MCVELIST:CVE-2022-21686

HistoryJan 26, 2022 - 8:10 p.m.

CVE-2022-21686 Server Side Twig Template Injection in PrestaShop

2022-01-2620:10:10

CWE-94

GitHub_M

www.cve.org

cve-2022-21686

server side

twig template injection

prestashop

open source

e-commerce platform

version 1.7.0.0

version 1.7.8.3

legacy layout

fixed issue

no known workarounds

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.003

Percentile

71.9%

JSON

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

CNA Affected

[
  {
    "product": "PrestaShop",
    "vendor": "PrestaShop",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.7.0.0, < 1.7.8.3"
      }
    ]
  }
]

References

github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21

github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3

github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.003

Percentile

71.9%

JSON

Related for CVELIST:CVE-2022-21686