Prestashop: Security vulnerability - Possible information steal

Created on 12 Mar 2020  路  5Comments  路  Source: PrestaShop/PrestaShop

You tell us about the security vulnerability and possible information steal here: https://build.prestashop.com/news/prestashop-1-7-6-4-maintenance-release/?utm_source=emailing&utm_medium=email&utm_campaign=B2BEN&utm_content=Launch1764&spMailingID=17046613&spUserID=NTE4NDg0Mjk2MTc5S0&spJobID=1840311223&spReportId=MTg0MDMxMTIyMwS2 and https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mhfc-6rhg-fxp3. But you somehow forget to point us to the commit which fixes it...................

Please tell us which commit we need.................

1.7.6.4 No change required
Source
picture michaelKaefer
👍1

Most helpful comment

Hi @khouloudbelguith

Maybe add this: https://github.com/PrestaShop/PrestaShop/pull/18073 and https://github.com/PrestaShop/PrestaShop/pull/18103 (in progress ...)
Because this Security PR introduces other minor bugs. See https://github.com/PrestaShop/PrestaShop/issues/18072 and https://github.com/PrestaShop/PrestaShop/issues/18100

picture PululuK on 12 Mar 2020
👍2

All 5 comments

Hi @michaelKaefer,

You can follow this commit
Find below detailed information about the security fix provided in this version:

CVE reference: CVE-2020-5250
GitHub Security Advisory: GHSA-mhfc-6rhg-fxp3

Thanks!

khouloudbelguith picture khouloudbelguith on 12 Mar 2020
👍1

Hi @khouloudbelguith

Maybe add this: https://github.com/PrestaShop/PrestaShop/pull/18073 and https://github.com/PrestaShop/PrestaShop/pull/18103 (in progress ...)
Because this Security PR introduces other minor bugs. See https://github.com/PrestaShop/PrestaShop/issues/18072 and https://github.com/PrestaShop/PrestaShop/issues/18100

PululuK picture PululuK on 12 Mar 2020
👍2

@eternoendless As far as I can see Line 89 in classes/form/CustomerForm.php of your commit fixes it? Do we absolutely need the rest to fix this security vulnerability?

$customer = new Customer($this->context->customer->id);

Can you approve this? Thank you.

michaelKaefer picture michaelKaefer on 12 Mar 2020

@michaelKaefer Yes you need others things to make it work. It's mandatory.

PierreRambaud picture PierreRambaud on 12 Mar 2020

Ok

michaelKaefer picture michaelKaefer on 12 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zuk3975 picture zuk3975  路  3Comments
vincent-dp picture vincent-dp  路  3Comments
prestonBot picture prestonBot  路  3Comments
matks picture matks  路  3Comments
centoasa picture centoasa  路  3Comments