CVE-2020-5270 – Open redirection when using back parameter of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5270
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.7.6.0 y 1.7.6.5, hay un redireccionamiento abierto cuando se usa el parámetro back. Los impactos pueden ser muchos y varían desde el robo de información y credenciales hasta el redireccionamiento a sitios web maliciosos que contienen contenido controlado por los atacantes, que en algunos casos incluso causan ataques de tipo XSS. • https://github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2020-5264 – Reflected XSS in security compromised page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5264
In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5. En PrestaShop versiones anteriores a 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado mientras se ejecuta la página security compromised. Permite a cualquiera ejecutar una acción arbitraria. • https://github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3a https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5265 – Reflected XSS on AdminAttributesGroups page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5265
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5. En PrestaShop entre las versiones 1.7.6.1 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado en la página AdminAttributesGroups. El problema está corregido en la versión 1.7.6.5. • https://github.com/PrestaShop/PrestaShop/commit/622ba66ffdbf48b399875003e00bc34d8a3ef712 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7fmr-5vcc-329j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5250 – Possible information disclosure in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5250
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4. En PrestaShop versiones anteriores a 1.7.6.4, cuando un cliente edita su dirección, ellos pueden cambiar libremente el id_address en el formulario y, por lo tanto, robar la dirección de otra persona. Es lo mismo con CustomerForm, pueden ser capaces de cambiar el id_customer y cambiar toda la información de todas las cuentas. • https://github.com/PrestaShop/PrestaShop/commit/a4a609b5064661f0b47ab5bc538e1a9cd3dd1069 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mhfc-6rhg-fxp3 • CWE-285: Improper Authorization CWE-552: Files or Directories Accessible to External Parties •
CVE-2020-6632
https://notcve.org/view.php?id=CVE-2020-6632
In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js. En PrestaShop versión 1.7.6.2, una ataque de tipo XSS puede producirse durante la adición o eliminación de un enlace QuickAccess. Esto está relacionado con los archivos AdminQuickAccessesController.php, themes/default/template/header.tpl y themes/new-theme/js/header.js. • https://github.com/PrestaShop/PrestaShop/pull/17050/commits • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •