Description
In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg
Patch, Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76
Scores
CVSS v3
5.3
EPSS
0.0021
EPSS Percentile
42.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-862
CWE-200
Status
published
Products (1)
prestashop/prestashop
1.7.4.0 - 1.7.6.6
Published
Jul 02, 2020
Tracked Since
Feb 18, 2026