CVE-2024-26129 - Vulnerability Details - OpenCVE

PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Prestashop	Prestashop

Configuration 1 [-]

cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr
https://owasp.org/www-community/attacks/Full_Path_Disclosure

History

Fri, 17 Jan 2025 16:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:prestashop:prestashop::::::::

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-19T21:59:54.426Z

Updated: 2024-08-01T23:59:32.697Z

Reserved: 2024-02-14T17:40:03.687Z

Link: CVE-2024-26129

Vulnrichment

Updated: 2024-07-25T16:43:43.750Z

NVD

Status : Analyzed

Published: 2024-02-19T22:15:49.013

Modified: 2025-01-17T15:44:18.993

Link: CVE-2024-26129

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26129", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-14T17:40:03.687Z", "datePublished": "2024-02-19T21:59:54.426Z", "dateUpdated": "2024-08-01T23:59:32.697Z"}, "containers": {"cna": {"title": "Prestashop vulnerable to path disclosure in JavaScript variable", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"}, {"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5", "tags": ["x_refsource_MISC"], "url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"}, {"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure", "tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"version": ">= 8.1.0, < 8.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-19T21:59:54.426Z"}, "descriptions": [{"lang": "en", "value": "PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4."}], "source": {"advisory": "GHSA-3366-9287-7qpr", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "prestashop", "product": "prestashop", "cpes": ["cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "8.1.0", "status": "affected", "lessThan": "8.1.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-21T19:38:34.924222Z", "id": "CVE-2024-26129", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T16:43:47.669Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:59:32.697Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"}, {"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"}, {"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26129", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-21T19:38:34.924222Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"], "vendor": "prestashop", "product": "prestashop", "versions": [{"status": "affected", "version": "8.1.0", "lessThan": "8.1.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-25T16:43:43.750Z"}}], "cna": {"title": "Prestashop vulnerable to path disclosure in JavaScript variable", "source": {"advisory": "GHSA-3366-9287-7qpr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "PrestaShop", "product": "PrestaShop", "versions": [{"status": "affected", "version": ">= 8.1.0, < 8.1.4"}]}], "references": [{"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr", "name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5", "name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5", "tags": ["x_refsource_MISC"]}, {"url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure", "name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-19T21:59:54.426Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26129", "state": "PUBLISHED", "dateUpdated": "2024-07-25T16:43:47.669Z", "dateReserved": "2024-02-14T17:40:03.687Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-19T21:59:54.426Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*", "matchCriteriaId": "83808A76-52D4-4D8E-A8EA-649A7C40F9C1", "versionEndExcluding": "8.1.4", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4."}, {"lang": "es", "value": "PrestaShop es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. A partir de la versi\u00f3n 8.1.0 y anteriores a la versi\u00f3n 8.1.4, PrestaShop es vulnerable a la divulgaci\u00f3n de rutas en una variable de JavaScript. Hay un parche disponible en la versi\u00f3n 8.1.4."}], "id": "CVE-2024-26129", "lastModified": "2025-01-17T15:44:18.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-19T22:15:49.013", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}