CVE-2018-7491 - Vulnerability Details - OpenCVE

In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Prestashop	Prestashop

Configuration 1 [-]

cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://forge.prestashop.com/browse/BOOM-4917
https://github.com/PrestaShop/PrestaShop/pull/8807

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-26T17:00:00Z

Updated: 2024-09-16T20:01:56.200Z

Reserved: 2018-02-26T00:00:00Z

Link: CVE-2018-7491

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-26T17:29:00.350

Modified: 2024-11-21T04:12:14.077

Link: CVE-2018-7491

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy \"frame-ancestors' values."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-26T17:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://forge.prestashop.com/browse/BOOM-4917"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/pull/8807"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-7491", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy \"frame-ancestors' values."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://forge.prestashop.com/browse/BOOM-4917", "refsource": "MISC", "url": "http://forge.prestashop.com/browse/BOOM-4917"}, {"name": "https://github.com/PrestaShop/PrestaShop/pull/8807", "refsource": "MISC", "url": "https://github.com/PrestaShop/PrestaShop/pull/8807"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T06:31:04.118Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://forge.prestashop.com/browse/BOOM-4917"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/pull/8807"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-7491", "datePublished": "2018-02-26T17:00:00Z", "dateReserved": "2018-02-26T00:00:00Z", "dateUpdated": "2024-09-16T20:01:56.200Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FF72D1C-3DE9-4408-B03D-733DDF8DC30F", "versionEndIncluding": "1.7.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy \"frame-ancestors' values."}, {"lang": "es", "value": "En PrestaShop hasta la versi\u00f3n 1.7.2.5, se ha encontrado una vulnerabilidad de secuestro de clics que podr\u00eda conducir a un impacto que cambia el estado en el contexto de un usuario o administrador. Esto se debe a que la funci\u00f3n generateHtaccess function en classes/Tools.php no establece los valores ni de X-Frame-Options ni de 'Content-Security-Policy \"frame-ancestors'."}], "id": "CVE-2018-7491", "lastModified": "2024-11-21T04:12:14.077", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-26T17:29:00.350", "references": [{"source": "cve@mitre.org", "tags": ["Permissions Required", "Vendor Advisory"], "url": "http://forge.prestashop.com/browse/BOOM-4917"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/pull/8807"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Vendor Advisory"], "url": "http://forge.prestashop.com/browse/BOOM-4917"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/pull/8807"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "nvd@nist.gov", "type": "Primary"}]}