Vulnerability identifier: #VU27320

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5279

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PrestaShop
Web applications / E-Commerce systems

Vendor: PrestaShop SA

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions for legacy controllers and API. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to the application.

• admin-dev/index.php/configure/shop/customer-preferences/
• admin-dev/index.php/improve/international/translations/
• admin-dev/index.php/improve/international/geolocation/
• admin-dev/index.php/improve/international/localization
• admin-dev/index.php/configure/advanced/performance
• admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PrestaShop: 1.5.0.0 - 1.7.6.4

---

External links
http://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.