Описание
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
Impact
Wrong usage of the PHP array_search() allows bypass of validation.
Patches
The problem has been patched in versions:
- v4.4.1 for PrestaShop 1.7 (build number: 7.4.4.1)
- v4.4.1 for PrestaShop 8 (build number: 8.4.4.1)
- v5.0.5 for PrestaShop 1.7 (build number: 7.5.0.5)
- v5.0.5 for PrestaShop 8 (build number: 8.5.0.5)
- v5.0.5 for PrestaShop 9 (build number: 9.5.0.5)
Read the Versioning policy to learn more about the build number.
Credits
Léo CUNÉAZ reported this issue.
Пакеты
Наименование
prestashop/ps_checkout
composer
Затронутые версииВерсия исправления
< 4.4.1
4.4.1
Наименование
prestashop/ps_checkout
composer
Затронутые версииВерсия исправления
>= 5.0.0, < 5.0.5
5.0.5
Связанные уязвимости
CVSS3: 3.8
nvd
4 месяца назад
PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist.