CVE-2020-15080 : What You Need to Know

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, certain files should not be in the release archive, and others should not be accessible. The issue is resolved in version 1.7.6.6. A workaround is to ensure

composer.json

and

docker-compose.yml

are not accessible on the server.

Understanding CVE-2020-15080

This CVE involves information disclosure in the release archive of PrestaShop.

What is CVE-2020-15080?

CVE-2020-15080 is a vulnerability in PrestaShop versions between 1.7.4.0 and 1.7.6.6 that allows unauthorized access to sensitive information.

The Impact of CVE-2020-15080

The impact of this vulnerability is rated as MEDIUM with a CVSS base score of 5.3. It can lead to the exposure of sensitive data to unauthorized actors.

Technical Details of CVE-2020-15080

This section provides more technical insights into the CVE.

Vulnerability Description

The vulnerability in PrestaShop allows unauthorized access to sensitive information, potentially leading to data exposure.

Affected Systems and Versions

Product: PrestaShop
Vendor: PrestaShop
Versions Affected: >= 1.7.4.0, < 1.7.6.6

Exploitation Mechanism

The vulnerability can be exploited by accessing certain files in the release archive that should not be available.

Mitigation and Prevention

Protect your systems from CVE-2020-15080 with these mitigation strategies.

Immediate Steps to Take

Update PrestaShop to version 1.7.6.6 to fix the vulnerability.
Ensure that

composer.json

and

docker-compose.yml

are not accessible on your server.

Long-Term Security Practices

Regularly monitor and restrict access to sensitive files.
Implement strong access controls and permissions on your server.

Patching and Updates

Apply patches and updates provided by PrestaShop to address security vulnerabilities.