PT-2020-20615 · Prestashop · Prestashop Module Olea Gift On Order

Florent Besnard

Published

2020-11-02

Updated

2020-11-09

CVE-2020-9368

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions PrestaShop Module Olea Gift On Order versions through 5.0.8

Description The issue allows an unauthenticated user to read arbitrary files on the server via a directory traversal attack using the getfile.php endpoint with a file parameter, such as getfile.php?file=/...

Recommendations For versions through 5.0.8, as a temporary workaround, consider restricting access to the getfile.php endpoint until a patch is available. Avoid using the file parameter in the affected endpoint to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2020-9368

Affected Products

Prestashop Module Olea Gift On Order

PT-2020-20615 · Prestashop · Prestashop Module Olea Gift On Order

CVE-2020-9368

Weakness Enumeration

Related Identifiers

Affected Products

References · 5