CVE-2020-15243

Опубликовано: 08 окт. 2020

Источник: nvd

CVSS3: 9.1

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops in version 4.0.0 & 4.0.1 which have installed and activated the Web API plugin. Users of Smartstore 4.0.0 and 4.0.1 must merge their repository with 4.0.x or overwrite the file SmartStore.Web.Framework in the /bin directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.

Ссылки

https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h
Third Party Advisory
https://github.com/smartstore/SmartStoreNET/security/advisories/GHSA-8g9m-jx26-qp4h
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:smartstore:smartstore:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:smartstore:smartstore:4.0.1:*:*:*:*:*:*:*

EPSS

Процентиль: 51%

0.00277

Низкий

9.1 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-287

CWE-306

EPSS

Процентиль: 51%

0.00277

Низкий

9.1 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-287

CWE-306