CVE-2019-13461 - OpenCVE

In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Prestashop	Prestashop

Configuration 1 [-]

OR	cpe:2.3:a:prestashop:prestashop::::::::
	cpe:2.3:a:prestashop:prestashop:1.7.6.0:beta1::::::
	cpe:2.3:a:prestashop:prestashop:1.7.6.0:rc1::::::

References

Link	Resource
https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt	Release Notes Vendor Advisory
https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-09T17:33:26

Updated: 2019-07-09T17:33:26

Reserved: 2019-07-09T00:00:00

Link: CVE-2019-13461

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-09T18:15:11.593

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-13461

JSON object: View

Redhat Information

No data.

CWE

CWE-639

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-09T17:33:26", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40"}, {"tags": ["x_refsource_MISC"], "url": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13461", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40", "refsource": "MISC", "url": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40"}, {"name": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt", "refsource": "MISC", "url": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13461", "datePublished": "2019-07-09T17:33:26", "dateReserved": "2019-07-09T00:00:00", "dateUpdated": "2019-07-09T17:33:26", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "99B42244-5DCF-4F88-A0B3-AB88B773FA98", "versionEndIncluding": "1.7.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:prestashop:prestashop:1.7.6.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "237DC12D-022C-4D4F-8675-054A650F3C37", "vulnerable": true}, {"criteria": "cpe:2.3:a:prestashop:prestashop:1.7.6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F89A4574-5C01-4C92-AE10-8505E9CD2A7B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444."}, {"lang": "es", "value": "En PrestaShop versiones anteriores a 1.7.6.0 RC2, los par\u00e1metros id_address_delivery y id_address_invoice se ven afectados por una vulnerabilidad de Referencia de Objeto Directa no Segura debido a un valor que puede enviarse a la aplicaci\u00f3n web durante el proceso de pago. Un atacante podr\u00eda filtrar informaci\u00f3n personal del cliente. Este es el bug de PrestaShop #14444."}], "id": "CVE-2019-13461", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-09T18:15:11.593", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}