PT-2020-13048 · Prestashop+1 · Prestashop+1
Andrea Iodice
·
Published
2020-04-27
·
Updated
2021-07-21
·
CVE-2020-12120
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
PrestaShop versions 1.6 through 1.7
Description
The issue allows remote attackers to obtain sensitive information, such as a service's owner password that can be used to modify orders via SOAP. Attackers can also retrieve information about orders or buyers.
Recommendations
For PrestaShop versions 1.6 through 1.7, consider disabling the Correos Express addon until a patch is available to prevent remote attackers from obtaining sensitive information. Restrict access to SOAP endpoints to minimize the risk of exploitation. Avoid using the Correos Express addon to modify orders until the issue is resolved.
Exploit
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Correosexpress
Prestashop