SB2020070247 - Multiple vulnerabilities in PrestaShop

Description

This security bulletin contains information about 7 vulnerabilities.

1) External Control of System or Configuration Setting (CVE-ID: CVE-2020-15082)

The vulnerability allows a remote user to modify configuration settings.

The vulnerability exists due to external control of configuration setting in the dashboard when handling dashboard requests. A remote user can rewrite configuration variables to modify configuration settings.

2) Exposure of Information Through Directory Listing (CVE-ID: CVE-2020-15081)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to information exposure through directory listing in the upload directory when handling requests for directory contents. A remote attacker can request directory listing content to disclose sensitive information.

3) Information disclosure (CVE-ID: CVE-2020-15080)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in release archive files when handling requests for exposed files. A remote attacker can request accessible archive files to disclose sensitive information.

4) Improper Authentication (CVE-ID: CVE-2020-4074)

The vulnerability allows a remote attacker to execute admin commands.

The vulnerability exists due to improper authentication in the authentication system when handling foreign requests. A remote attacker can send a crafted request to execute admin commands.

5) Improper access control (CVE-ID: CVE-2020-15079)

The vulnerability allows a remote user to access restricted administrative functionality.

The vulnerability exists due to improper access control in Carrier page, Module Manager and Module Positions when handling requests. A remote user can send a specially crafted request to access restricted administrative functionality.

6) Cross-site scripting (CVE-ID: CVE-2020-15083)

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the product page image upload functionality when handling a corrupted uploaded file. A remote attacker can upload a specially crafted file to execute arbitrary script in the victim's browser.

7) Cross-site scripting (CVE-ID: CVE-2020-11074)

The vulnerability allows a remote user to execute arbitrary script code in a user's browser.

The vulnerability exists due to cross-site scripting in AdminQuickAccesses when processing the name of a quick access item. A remote user can create or modify a quick access item with a specially crafted name to execute arbitrary script code in a user's browser.

Remediation

Install update from vendor's website.

References

• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mc98-xjm3-c4fm
• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-997j-f42g-x57c
• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg
• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-ccvh-jh5x-mpg4
• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xp3x-3h8q-c386
• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-qgh4-95j7-p3vj
• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4pg-q2cv-f7x4