CVE-2018-7491

HIGH

PrestaShop < 1.7.2.5 - UI-Redressing/Clickjacking via Missing X-Frame-Options and CSP Headers

Title source: llm
STIX 2.1

Description

In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values.

References (2)

Core 2
Core References
Permissions Required, Vendor Advisory x_refsource_misc
http://forge.prestashop.com/browse/BOOM-4917
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/pull/8807

Scores

CVSS v3 7.5
EPSS 0.0112
EPSS Percentile 61.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-1021
Status published
Products (1)
prestashop/prestashop < 1.7.2.5
Published Feb 26, 2018
Tracked Since Feb 18, 2026