Lucene search

Veracode Vulnerability DatabaseVERACODE:46918

HistoryMay 15, 2024 - 6:29 a.m.

Insecure Direct Object Reference (IDOR)

2024-05-1506:29:10

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

idor

prestashop

access controls

invoice download

url parameter

anonymous mode

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.0%

JSON

prestashop/prestashop is vulnerable to an Insecure Direct Object Reference (IDOR). The vulnerability is due to insufficient access controls, which allows any invoice to be downloaded from the front-office in anonymous mode by supplying a random secure_key parameter in the URL.

References

github.com/advisories/GHSA-7pjr-2rgh-fc5g

github.com/PrestaShop/PrestaShop/commit/46b9a2b430dd2008ac061fbcbae9f7af55a7920a

github.com/PrestaShop/PrestaShop/releases/tag/8.1.6

github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for VERACODE:46918