Vulnerability from bitnami_vulndb
Published
2024-03-06 11:02
Modified
2025-05-20 10:02
Summary
Employee without any access rights can list all installed modules in Prestashop
Details

PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method ajaxProcessGetPossibleHookingListForModule doesn't check access rights. This issue has been addressed in commit 15bd281c which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "prestashop",
        "purl": "pkg:bitnami/prestashop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.1.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43664"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn\u0027t check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.",
  "id": "BIT-prestashop-2023-43664",
  "modified": "2025-05-20T10:02:07.006Z",
  "published": "2024-03-06T11:02:38.285Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43664"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Employee without any access rights can list all installed modules in Prestashop"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.