CVE-2019-13461 - OpenCVE

In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Prestashop	Prestashop

Configuration 1 [-]

OR	cpe:2.3:a:prestashop:prestashop::::::::
	cpe:2.3:a:prestashop:prestashop:1.7.6.0:beta1::::::
	cpe:2.3:a:prestashop:prestashop:1.7.6.0:rc1::::::

No data.

References

Link	Providers
https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt
https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-09T17:33:26

Updated: 2024-08-04T23:49:25.035Z

Reserved: 2019-07-09T00:00:00

Link: CVE-2019-13461

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-09T18:15:11.593

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-13461

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-09T17:33:26", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40"}, {"tags": ["x_refsource_MISC"], "url": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13461", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40", "refsource": "MISC", "url": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40"}, {"name": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt", "refsource": "MISC", "url": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:49:25.035Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13461", "datePublished": "2019-07-09T17:33:26", "dateReserved": "2019-07-09T00:00:00", "dateUpdated": "2024-08-04T23:49:25.035Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "99B42244-5DCF-4F88-A0B3-AB88B773FA98", "versionEndIncluding": "1.7.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:prestashop:prestashop:1.7.6.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "237DC12D-022C-4D4F-8675-054A650F3C37", "vulnerable": true}, {"criteria": "cpe:2.3:a:prestashop:prestashop:1.7.6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F89A4574-5C01-4C92-AE10-8505E9CD2A7B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444."}, {"lang": "es", "value": "En PrestaShop versiones anteriores a 1.7.6.0 RC2, los par\u00e1metros id_address_delivery y id_address_invoice se ven afectados por una vulnerabilidad de Referencia de Objeto Directa no Segura debido a un valor que puede enviarse a la aplicaci\u00f3n web durante el proceso de pago. Un atacante podr\u00eda filtrar informaci\u00f3n personal del cliente. Este es el bug de PrestaShop #14444."}], "id": "CVE-2019-13461", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-09T18:15:11.593", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}