CVE-2020-15162 - OpenCVE

In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Prestashop	Prestashop

Configuration 1 [-]

cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-09-24T22:15:14

Updated: 2024-08-04T13:08:22.436Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15162

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-09-24T23:15:13.807

Modified: 2020-09-30T14:18:17.567

Link: CVE-2020-15162

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "PrestaShop", "vendor": "PrestaShop", "versions": [{"status": "affected", "version": "> 1.5.0.0, < 1.7.6.8"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-09-24T22:15:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf"}], "source": {"advisory": "GHSA-rc8c-v7rq-q392", "discovery": "UNKNOWN"}, "title": "Stored XSS in PrestaShop", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15162", "STATE": "PUBLIC", "TITLE": "Stored XSS in PrestaShop"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PrestaShop", "version": {"version_data": [{"version_value": "> 1.5.0.0, < 1.7.6.8"}]}}]}, "vendor_name": "PrestaShop"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8", "refsource": "MISC", "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"}, {"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392", "refsource": "CONFIRM", "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392"}, {"name": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf", "refsource": "MISC", "url": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf"}]}, "source": {"advisory": "GHSA-rc8c-v7rq-q392", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:22.436Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15162", "datePublished": "2020-09-24T22:15:14", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:22.436Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "67381BE9-C6EF-4A3F-B7BD-845627E10805", "versionEndExcluding": "1.7.6.8", "versionStartIncluding": "1.5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8."}, {"lang": "es", "value": "En PrestaShop a partir de la versi\u00f3n 1.5.0.0 y antes de la versi\u00f3n 1.7.6.8, los usuarios pueden enviar archivos comprometidos. Estos archivos adjuntos permitieron a la gente introducir JavaScript malicioso que desencaden\u00f3 una carga \u00fatil de XSS. El problema est\u00e1 arreglado en la versi\u00f3n 1.7.6.8"}], "id": "CVE-2020-15162", "lastModified": "2020-09-30T14:18:17.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-09-24T23:15:13.807", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}