CVE-2020-26224

Published: Nov 16, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9.

Affected (1)

Products: Prestashop: Prestashop

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Prestashop Prestashop	Before 1.7.6.9

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-frf2-c9q3-qg9m

Source: security-advisories@github.com

Third Party Advisory

https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-frf2-c9q3-qg9m

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.