GHSA-769f-539v-f5jg – prestashop/gamification

Package

Manager: composer
Name: prestashop/gamification
Vulnerable Version: >=0 <2.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

PrestaShop gamification module ZIP archives were vulnerable from CVE-2017-9841 ### Impact We have identified that some gamification module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE. This vulnerability impacts - phpunit before 4.8.28 and 5.x before 5.6.3 as reported in [CVE-2017-9841](https://nvd.nist.gov/vuln/detail/CVE-2017-9841) - phpunit >= 5.63 before 7.5.19 and 8.5.1 (this is a newly found vulnerability that is currently being submitted as a CVE after disclosure was provided to phpunit maintainers) You can read PrestaShop official statement about this vulnerability [here](https://build.prestashop.com/news/critical-security-vulnerability-in-prestashop-modules/). ### Patches In the [security patch](https://github.com/PrestaShop/gamification/releases/tag/v2.3.2), we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading. ### Workarounds Users can also simply remove the unwanted vendor/phpunit folder. ### References https://nvd.nist.gov/vuln/detail/CVE-2017-9841 ### For more information If you have any questions or comments about this advisory, email us at security@prestashop.com

Metadata

Created: 2020-01-08T03:10:44Z
Modified: 2020-01-08T03:10:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-769f-539v-f5jg/GHSA-769f-539v-f5jg.json
CWE IDs: []
Alternative ID: N/A
Finding: F422
Auto approve: 1