CVE-2024-34717

MEDIUM5.3EPSS 0.53%

Anonymous PrestaShop customer can download other customers' invoices

發布日:2024/5/14修改日:2024/5/24

也稱為:GHSA-7pjr-2rgh-fc5gBIT-prestashop-2024-34717

描述

### Impact Since PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. ### Patches Patched in 8.1.6 ### Workarounds Upgrade to 8.1.6 Thank you to Samuel Bodevin, who found this vulnerability and shared it with the PrestaShop team.

受影響套件(2)

Bitnami/prestashop>= 8.1.5, < 8.1.6
Packagist/prestashop/prestashop>= 8.1.5, < 8.1.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-34717
PATCHhttps://github.com/PrestaShop/PrestaShop
WEBhttps://github.com/PrestaShop/PrestaShop/commit/46b9a2b430dd2008ac061fbcbae9f7af55a7920a
WEBhttps://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6
WEBhttps://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g