CVE-2023-43664

EUVD-2023-2510
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Affected Products (NVD)
VendorProductVersion
prestashopprestashop
𝑥
< 8.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j
https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j