Lucene search

Veracode Vulnerability DatabaseVERACODE:46918

HistoryMay 15, 2024 - 6:29 a.m.

Insecure Direct Object Reference (IDOR)

2024-05-1506:29:10

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

idor

prestashop

access controls

invoice download

url parameter

anonymous mode

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

prestashop/prestashop is vulnerable to an Insecure Direct Object Reference (IDOR). The vulnerability is due to insufficient access controls, which allows any invoice to be downloaded from the front-office in anonymous mode by supplying a random secure_key parameter in the URL.

CPENameOperatorVersion
prestashop/prestashopeq8.1.5
prestashop/prestashopeq8.1.5

CPE	Name	Operator	Version
	prestashop/prestashop	eq	8.1.5
	prestashop/prestashop	eq	8.1.5

References

github.com/advisories/GHSA-7pjr-2rgh-fc5g

github.com/PrestaShop/PrestaShop/commit/46b9a2b430dd2008ac061fbcbae9f7af55a7920a

github.com/PrestaShop/PrestaShop/releases/tag/8.1.6

github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:46918