CVE-2018-7491 Information

Description

In PrestaShop through 1.7.2.5 a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor ‘Content-Security-Policy \frame-ancestors’ values.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

http://forge.prestashop.com/browse/BOOM-4917 https://github.com/PrestaShop/PrestaShop/pull/8807

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5