Multiple vulnerabilities in PrestaShop
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2020-5293 CVE-2020-5288 CVE-2020-5287 CVE-2020-5286 CVE-2020-5285 CVE-2020-5279 CVE-2020-5278 CVE-2020-5276 CVE-2020-5272 CVE-2020-5271 CVE-2020-5270 CVE-2020-5269 CVE-2020-5265 CVE-2020-5264 |
| CWE-ID | CWE-284 CWE-79 CWE-601 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
PrestaShop Web applications / E-Commerce systems |
| Vendor | PrestaShop SA |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU27325
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5293
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions on product page with combinations, attachments and specific prices. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.0.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/f9f442c87755908e23a6bcba8c443cdea1d78a7f
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-cvjj-grfv-f56w
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU27324
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5288
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions on product attributes page. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.0.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/fc1d796dda769efdbc4d9e02ea7a11e4167338d0
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-4wxg-33h3-3w5r
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU27323
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5287
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions on customers search. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.5.5.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/27e49d89808f1d76eb909a595f344a6739bc0b52
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-r6rp-6gv6-r9hq
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site scripting
EUVDB-ID: #VU27322
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5286
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when uploading a wrong file. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.4.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/fc0625fb0a9aab1835515f1bea52e8e063384da7
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-98j8-hvjv-x47j
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site scripting
EUVDB-ID: #VU27321
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5285
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "back" parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.6.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/b6aea152988d81e1586f1c03f2e72c9ef2fe7df7
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-j3r6-33hf-m8wh
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU27320
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5279
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions for legacy controllers and API. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.
- admin-dev/index.php/configure/shop/customer-preferences/
- admin-dev/index.php/improve/international/translations/
- admin-dev/index.php/improve/international/geolocation/
- admin-dev/index.php/improve/international/localization
- admin-dev/index.php/configure/advanced/performance
- admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses
Mitigation
Install updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.5.0.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site scripting
EUVDB-ID: #VU27319
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5278
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on Exception page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.5.4.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/ea85210d6e5d81f058b55764bc4608cdb0b36c5d
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrpj-67mq-3fr5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site scripting
EUVDB-ID: #VU27318
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5276
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "cartBox" parameter on AdminCarts page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.1.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/6838d21850e7227fb8afbf568cb0386b3dedd3ef
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-q6pr-42v5-v97q
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Cross-site scripting
EUVDB-ID: #VU27317
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5272
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "alias" and "search" parameters on Search page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.5.5.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/d3bf027fa37e8105fed3c809d636ebe787e43f46
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rpg3-f23r-jmqv
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cross-site scripting
EUVDB-ID: #VU27316
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5271
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "date_from" and "date_to" parameters in the dashboard page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.6.0.1 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/c464518d2aaf195007a1eb055fce64a9a027e00a
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m2x6-c2c6-pjrx
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Open redirect
EUVDB-ID: #VU27315
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5270
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data passed via the "back" parameter. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.6.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Cross-site scripting
EUVDB-ID: #VU27314
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5269
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "id_feature" parameter on AdminFeatures page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.6.1 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/9efca621a0b74b82dafa91e6b955120036e31334
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-87jh-7xpg-6v93
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Cross-site scripting
EUVDB-ID: #VU27313
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5265
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on "AdminAttributesGroups" page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.6.1 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/622ba66ffdbf48b399875003e00bc34d8a3ef712
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7fmr-5vcc-329j
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Cross-site scripting
EUVDB-ID: #VU27311
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5264
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPrestaShop: 1.7.0.0 - 1.7.6.4
External linkshttp://github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3a
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
