CVE-2023-43664
Employee without any access rights can list all installed modules in Prestashop
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.
PrestaShop es una aplicación web de comercio electrónico de código abierto. En la interfaz del Back office de Prestashop, un empleado puede enumerar todos los módulos sin ningún derecho de acceso: el método `ajaxProcessGetPossibleHookingListForModule` no verifica los derechos de acceso. Este problema se solucionó en el commit `15bd281c` que se incluye en la versión 8.1.2. Se recomienda a los usuarios que actualicen. No se conoce ningún workaround para este problema.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-09-20 CVE Reserved
- 2023-09-28 CVE Published
- 2024-09-20 CVE Updated
- 2024-10-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762 | 2023-10-03 |
URL | Date | SRC |
---|---|---|
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j | 2023-10-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Prestashop Search vendor "Prestashop" | Prestashop Search vendor "Prestashop" for product "Prestashop" | < 8.1.2 Search vendor "Prestashop" for product "Prestashop" and version " < 8.1.2" | - |
Affected
|