OpenCVE

PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-14T15:47:27.265Z

Updated: 2024-08-02T02:59:22.270Z

Reserved: 2024-05-07T13:53:00.134Z

Link: CVE-2024-34717

Vulnrichment

Updated: 2024-08-02T02:59:22.270Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T16:17:28.540

Modified: 2024-11-21T09:19:15.500

Link: CVE-2024-34717

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34717", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-07T13:53:00.134Z", "datePublished": "2024-05-14T15:47:27.265Z", "dateUpdated": "2024-08-02T02:59:22.270Z"}, "containers": {"cna": {"title": "Anonymous PrestaShop customer can download other customers' invoices", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"}, {"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"version": "= 8.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T15:47:27.265Z"}, "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available."}], "source": {"advisory": "GHSA-7pjr-2rgh-fc5g", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34717", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-15T13:22:48.091893Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"], "vendor": "prestashop", "product": "prestashop", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "8.1.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:41:41.822Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.270Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"}, {"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g", "name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6", "name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.270Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34717", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-15T13:22:48.091893Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"], "vendor": "prestashop", "product": "prestashop", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "8.1.6", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-15T13:24:44.178Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Anonymous PrestaShop customer can download other customers' invoices", "source": {"advisory": "GHSA-7pjr-2rgh-fc5g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"status": "affected", "version": "= 8.1.5"}]}], "references": [{"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g", "name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6", "name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T15:47:27.265Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34717", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:59:22.270Z", "dateReserved": "2024-05-07T13:53:00.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-14T15:47:27.265Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}