PrestaShop gamification module ZIP archives were vulnerable from CVE-2017-9841
High severity
GitHub Reviewed
Published
Jan 7, 2020
in
PrestaShopCorp/gamification
•
Updated Jan 9, 2023
Description
Reviewed
Jan 8, 2020
Published to the GitHub Advisory Database
Jan 8, 2020
Last updated
Jan 9, 2023
Impact
We have identified that some gamification module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE.
This vulnerability impacts
You can read PrestaShop official statement about this vulnerability here.
Patches
In the security patch, we look for the unwanted vendor/phpunit folder and remove it if we find it. This allows users to fix the security issue when upgrading.
Workarounds
Users can also simply remove the unwanted vendor/phpunit folder.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-9841
For more information
If you have any questions or comments about this advisory, email us at [email protected]
References