CVE-2020-5264 – Reflected XSS in security compromised page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5264
In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5. En PrestaShop versiones anteriores a 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado mientras se ejecuta la página security compromised. Permite a cualquiera ejecutar una acción arbitraria. • https://github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3a https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5250 – Possible information disclosure in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5250
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4. En PrestaShop versiones anteriores a 1.7.6.4, cuando un cliente edita su dirección, ellos pueden cambiar libremente el id_address en el formulario y, por lo tanto, robar la dirección de otra persona. Es lo mismo con CustomerForm, pueden ser capaces de cambiar el id_customer y cambiar toda la información de todas las cuentas. • https://github.com/PrestaShop/PrestaShop/commit/a4a609b5064661f0b47ab5bc538e1a9cd3dd1069 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mhfc-6rhg-fxp3 • CWE-285: Improper Authorization CWE-552: Files or Directories Accessible to External Parties •
CVE-2019-13461
https://notcve.org/view.php?id=CVE-2019-13461
In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. En PrestaShop versiones anteriores a 1.7.6.0 RC2, los parámetros id_address_delivery y id_address_invoice se ven afectados por una vulnerabilidad de Referencia de Objeto Directa no Segura debido a un valor que puede enviarse a la aplicación web durante el proceso de pago. Un atacante podría filtrar información personal del cliente. • https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40 • CWE-639: Authorization Bypass Through User-Controlled Key •