GHSA-7pjr-2rgh-fc5g

Suggest an improvement
Source
https://github.com/advisories/GHSA-7pjr-2rgh-fc5g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-7pjr-2rgh-fc5g/GHSA-7pjr-2rgh-fc5g.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7pjr-2rgh-fc5g
Aliases
Published
2024-05-14T20:17:27Z
Modified
2024-05-24T12:11:47.817500Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Anonymous PrestaShop customer can download other customers' invoices
Details

Impact

Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url.

Patches

Patched in 8.1.6

Workarounds

Upgrade to 8.1.6

Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

Database specific
{
    "nvd_published_at": "2024-05-14T16:17:28Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T20:17:27Z"
}
References

Affected packages

Packagist / prestashop/prestashop

Package

Name
prestashop/prestashop
Purl
pkg:composer/prestashop/prestashop

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.1.5
Fixed
8.1.6

Affected versions

8.*

8.1.5