Vulnerability Description
In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Prestashop | Prestashop | <= 1.7.2.5 |
Related Weaknesses (CWE)
References
- http://forge.prestashop.com/browse/BOOM-4917Permissions RequiredVendor Advisory
- https://github.com/PrestaShop/PrestaShop/pull/8807Issue TrackingThird Party Advisory
- http://forge.prestashop.com/browse/BOOM-4917Permissions RequiredVendor Advisory
- https://github.com/PrestaShop/PrestaShop/pull/8807Issue TrackingThird Party Advisory
FAQ
What is CVE-2018-7491?
CVE-2018-7491 is a vulnerability with a CVSS score of 7.5 (HIGH). In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function...
How severe is CVE-2018-7491?
CVE-2018-7491 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-7491?
Check the references section above for vendor advisories and patch information. Affected products include: Prestashop Prestashop.