logo

Database

Excessive privileges In prestashop/prestashop

Description

PrestaShop allows employee without any access rights to list all installed modules

Impact

In BO, an employee can list all modules without any access rights: method ajaxProcessGetPossibleHookingListForModule doesn't check access rights

Patches

Fixed on 8.1.2

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-436642. NVD-2023-436643. OSV-2023-436644. GHSA-gvrg-62jp-rf7j5. GCVE-2023-43664

References

1. https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j2. https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-810WF – Vulnerability | Fluid Attacks Database