CVE-2020-15081 Scanner
CVE-2020-15081 Scanner - Information Disclosure vulnerability in PrestaShop
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
15 days 17 hours
Scan only one
URL
Toolbox
PrestaShop is an open-source e-commerce solution used widely by online retailers for managing their online stores. It provides a comprehensive platform for creating, managing, and scaling online shops. PrestaShop offers a range of features, including product catalog management, payment gateways, and store customization. It is popular among small to medium-sized businesses for its flexibility and community support. Retailers use PrestaShop to effectively handle inventory, customer orders, and sales. With a modular design, it allows users to enhance functionality through plugins and add-ons.
This Information Disclosure vulnerability affects PrestaShop versions after 1.5.0.0 and before 1.7.6.6. The vulnerability is related to the directory listing in the upload directory due to a missing index.php file. This oversight leads to exposure where unauthorized users can enumerate files contained within the upload directory. This information exposure could leak sensitive data, potentially putting customer privacy at risk. The issue underlines the importance of securing directory structures against unauthorized access.
The vulnerable endpoint is the upload directory, specifically when accessed via a URL structured like "http://[PrestaShop_URL]/upload/". The missing index.php file fails to redirect or restrict directory access, allowing potential attackers to browse the directory contents if directory listing is not disabled. Matchers in the scan look for HTTP status code 200 and certain content keywords indicating an active directory listing. This can lead to the exposure of file names, file structure, and possibly the content of uploaded files.
Exploitation of this vulnerability may result in unauthorized exposure to sensitive information stored within the directory. This could include customer data, invoice files, or internal documents, which attackers could use for malicious purposes. The exposure might also lead to privacy breaches and legal implications for businesses failing to protect customer data adequately. In severe cases, it could damage the business reputation and erode customer trust.
REFERENCES
