A vulnerability was found in PrestaShop up to 1.7.2.5 (E-Commerce Management Software). It has been classified as problematic. This affects the function generateHtaccess of the file UI-Redressing/Clickjacking. The manipulation with an unknown input leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on integrity. The summary by CVE is:

In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values.

The bug was discovered 02/26/2018. The weakness was disclosed 02/26/2018 (Website). It is possible to read the advisory at forge.prestashop.com. This vulnerability is uniquely identified as CVE-2018-7491 since 02/26/2018. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• E-Commerce Management Software

Name

• PrestaShop

Version

• 1.7.2.0
• 1.7.2.1
• 1.7.2.2
• 1.7.2.3
• 1.7.2.4
• 1.7.2.5

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion