Lucene search

MitreCVE-2023-45382

HistoryNov 17, 2023 - 2:15 a.m.

CVE-2023-45382

2023-11-1702:15:26

CWE-22

mitre

web.nvd.nist.gov

cve-2023-45382

sonice retour

path traversal attack

personal information

nvd

common-services

prestashop

permission control

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

38.6%

JSON

In the module “SoNice Retour” (sonice_retour) up to version 2.1.0 from Common-Services for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control and a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system.

Affected configurations

Nvd

Node

common-servicessonice_retourRange≤2.1.0prestashop

VendorProductVersionCPE
common-servicessonice_retour*cpe:2.3:a:common-services:sonice_retour:*:*:*:*:*:prestashop:*:*

Vendor	Product	Version	CPE
common-services	sonice_retour	*	cpe:2.3:a:common-services:sonice_retour::::::prestashop::*

References

common-services.com/fr/home-fr/

security.friendsofpresta.org/modules/2023/11/16/sonice_retour.html

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

38.6%

JSON

Related for CVE-2023-45382