CVE-2022-21686

Published: Jan 26, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

Affected (1)

Products: Prestashop: Prestashop

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Prestashop Prestashop	From 1.7.0.0 to 1.7.8.3

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465

Source: security-advisories@github.com

Third Party Advisory

https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.