In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus…
GitHub_M·CWE-285·Published 2020-03-05
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.
En PrestaShop versiones anteriores a 1.7.6.4, cuando un cliente edita su dirección, ellos pueden cambiar libremente el id_address en el formulario y, por lo tanto, robar la dirección de otra persona. Es lo mismo con CustomerForm, pueden ser capaces de cambiar el id_customer y cambiar toda la información de todas las cuentas. El problema está parcheado en la versión 1.7.6.4.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.9 | 6.8 | 4.9 | AV:N/AC:M/Au:S/C:P/I:P/A:N |
| 3.1 | Primary | cve.org | 7.6 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
| 3.1 | Primary | cve.org | 7.6 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
| 3.1 | Primary | NVD | 6.3 | 2.1 | 4.2 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N |
| 3.1 | Secondary | NVD | 7.6 | 2.3 | 4.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |