GHSA-mrq4-7ch7-2465

Source

https://github.com/advisories/GHSA-mrq4-7ch7-2465

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-mrq4-7ch7-2465/GHSA-mrq4-7ch7-2465.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mrq4-7ch7-2465

Aliases

CVE-2022-21686

Published

2022-01-27T18:32:47Z

Modified

2024-02-19T05:33:18.569946Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Server Side Twig Template Injection

Details

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.

Database specific

{
    "nvd_published_at": "2022-01-26T20:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-26T22:51:57Z"
}

References

Affected packages

Packagist / prestashop/prestashop

Package

Name: prestashop/prestashop
Purl: pkg:composer/prestashop/prestashop

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.7.0.0

Fixed

1.7.8.3

Affected versions

1.*

1.7.0.0

1.7.0.1

1.7.0.2

1.7.0.3

1.7.0.4

1.7.0.5

1.7.0.6

1.7.1.0

1.7.1.1

1.7.1.2

1.7.2.0-rc.1.0

1.7.2.0

1.7.2.1

1.7.2.2

1.7.2.3

1.7.2.4

1.7.2.5

1.7.3.0

1.7.3.1

1.7.3.2

1.7.3.3

1.7.3.4

1.7.4.0-beta.1

1.7.4.0

1.7.4.1

1.7.4.2

1.7.4.3

1.7.4.4

1.7.5.0-beta.1

1.7.5.0-rc.1

1.7.5.0

1.7.5.1

1.7.5.2

1.7.6.0-beta.1

1.7.6.0-rc.1

1.7.6.0-rc.2

1.7.6.0

1.7.6.1

1.7.6.2

1.7.6.3

1.7.6.4

1.7.6.5

1.7.6.6

1.7.6.7

1.7.6.8

1.7.6.9

1.7.7.0-beta.1

1.7.7.0-beta.2

1.7.7.0-rc.1

1.7.7.0

1.7.7.1

1.7.7.2

1.7.7.3

1.7.7.4

1.7.7.5

1.7.7.6

1.7.7.7

1.7.7.8

1.7.8.0-beta.1

1.7.8.0-rc.1

1.7.8.0

1.7.8.1

1.7.8.2

Database specific

{
    "last_known_affected_version_range": "<= 1.7.8.2"
}