PT-2020-18344 · Prestashop · Prestashop

Fanie Guesdon

Published

2020-03-05

Updated

2020-03-05

CVE-2020-5250

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions PrestaShop versions prior to 1.7.6.4

Description The issue allows a customer to modify the id address when editing their address, potentially leading to the theft of someone else's address. Similarly, with CustomerForm, a customer can change the id customer and alter all information of any account.

Recommendations For versions prior to 1.7.6.4, update to version 1.7.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the address editing form and CustomerForm until the update is applied.

Fix

Improper Authorization

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-552

Related Identifiers

CVE-2020-5250

GHSA-MHFC-6RHG-FXP3

Affected Products

Prestashop

PT-2020-18344 · Prestashop · Prestashop

CVE-2020-5250

Weakness Enumeration

Related Identifiers

Affected Products

References · 5