Headline
GHSA-3g43-x7qr-96ph: Possible CSRF token fixation
Impact
When authenticating users PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
Patches
The problem is fixed in version 8.0.1
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-25170
Possible CSRF token fixation
Moderate severity GitHub Reviewed Published Mar 13, 2023 in PrestaShop/PrestaShop • Updated Mar 13, 2023
Package
composer prestashop/prestashop (Composer)
Affected versions
< 8.0.1
Impact
When authenticating users PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
Patches
The problem is fixed in version 8.0.1
References
- GHSA-3g43-x7qr-96ph
- https://nvd.nist.gov/vuln/detail/CVE-2023-25170
Published by the National Vulnerability Database
Mar 13, 2023
Published to the GitHub Advisory Database
Mar 13, 2023
Last updated
Mar 13, 2023
Related news
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.