Insufficient Session Expiration in PrestaShop

#VU50835 Insufficient Session Expiration in PrestaShop

Published: 2021-02-22

Vulnerability identifier: #VU50835

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21308

CWE-ID: CWE-613

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PrestaShop
Web applications / E-Commerce systems

Vendor: PrestaShop SA

Description

The vulnerability allows a remote attacker to impersonate web application users.

The vulnerability exists due to insufficient session expiration issue within the soft logout feature. A remote non-authenticated attacker can impersonate web application users and execute customer commands.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PrestaShop: 1.5.0.0 - 1.7.7.1

External links
http://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-557h-hf3c-whcg/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PrestaShop