CVE-2020-15080

State: PUBLISHED · Published: 2020-07-02 · Updated: 2024-08-04 · Assigner: GitHub_M

Description

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.

CWE

CWE-200 — {"CWE-200":"Exposure of Sensitive Information to an Unauthorized Actor"}

Affected

PrestaShop / PrestaShop — v=>= 1.7.4.0, <1.7.6.6 [affected]

CVSS

3.1 score=5.3 severity=MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg x_refsource_CONFIRM
https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76 x_refsource_MISC

Source

cvelistV5-main/cves/2020/15xxx/CVE-2020-15080.json