CVE-2023-25170

Опубликовано: 13 мар. 2023

Источник: nvd

CVSS3: 5

CVSS3: 8.8

EPSS Низкий

Описание

PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.

Ссылки

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3g43-x7qr-96ph
Vendor Advisory
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3g43-x7qr-96ph
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

Версия до 8.0.1 (исключая)

EPSS

Процентиль: 9%

0.00032

Низкий

5 Medium

CVSS3

8.8 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-3g43-x7qr-96ph

CVSS3: 5

github

почти 3 года назад

Possible CSRF token fixation

EPSS

Процентиль: 9%

0.00032

Низкий

5 Medium

CVSS3

8.8 High

CVSS3

Дефекты

CWE-352