CVE-2023-39526

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/PrestaShop/PrestaShop/commit/817847e2347844a9b6add017581f1932bcd28c09	Patch
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gf46-prm4-56pc	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:prestashop:prestashop::::::::
	cpe:2.3:a:prestashop:prestashop::::::::
	cpe:2.3:a:prestashop:prestashop:8.1.0:::::::*

History

No history.

Information

Published : 2023-08-07 21:15

Updated : 2023-08-09 20:18

NVD link : CVE-2023-39526

Mitre link : CVE-2023-39526

CVE.ORG link : CVE-2023-39526

JSON object : View

Products Affected

prestashop

prestashop

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-39526", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2023-08-07T21:15:10.347", "references": [{"url": "https://github.com/PrestaShop/PrestaShop/commit/817847e2347844a9b6add017581f1932bcd28c09", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gf46-prm4-56pc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds."}], "lastModified": "2023-08-09T20:18:36.627", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67B46788-7E3F-49C3-A69A-2F1922BCA5A5", "versionEndExcluding": "1.7.8.10"}, {"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E3B54B4-4484-44F8-A0F1-714EA40399CF", "versionEndExcluding": "8.0.5", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D34AD75A-BC2E-46F5-BFCD-671C06A23898"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}