Lucene search

GitHub Advisory DatabaseGHSA-7PJR-2RGH-FC5G

HistoryMay 14, 2024 - 8:17 p.m.

Anonymous PrestaShop customer can download other customers' invoices

2024-05-1420:17:27

CWE-200

GitHub Advisory Database

github.com

prestashop

invoices

security vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Impact

Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.

Patches

Patched in 8.1.6

Workarounds

Upgrade to 8.1.6

Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

Affected configurations

Vulners

Node

prestashopprestashopMatch8.1.5

CPENameOperatorVersion
prestashop/prestashopeq8.1.5

CPE	Name	Operator	Version
	prestashop/prestashop	eq	8.1.5

References

github.com/advisories/GHSA-7pjr-2rgh-fc5g

github.com/PrestaShop/PrestaShop/commit/46b9a2b430dd2008ac061fbcbae9f7af55a7920a

github.com/PrestaShop/PrestaShop/releases/tag/8.1.6

github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g

nvd.nist.gov/vuln/detail/CVE-2024-34717

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for GHSA-7PJR-2RGH-FC5G