CVE-2018-20717

Name of the Vulnerable Software and Affected Versions: PrestaShop versions prior to 1.7.2.5

Description: The issue allows an attack in the orders section of PrestaShop after gaining access with a user role of at least a Salesman or higher privileges. The attacker can inject arbitrary PHP objects and abuse an object chain to gain Remote Code Execution. This occurs because protection against serialized objects looks for a 0: followed by an integer, but does not consider 0:+ followed by an integer.

Recommendations: For PrestaShop versions prior to 1.7.2.5, update to version 1.7.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the orders section to minimize the risk of exploitation.