First published: Thu Sep 28 2023(Updated: )
### Impact In BO, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights ### Patches Fixed on 8.1.2 ### Workarounds ### References
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Prestashop Prestashop | <8.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
In the PrestaShop Back office interface, an employee can list all modules without any access rights.
Update PrestaShop to version 8.1.2 or higher, which includes the fix for this vulnerability.
The severity of CVE-2023-43664 is medium, with a CVSS score of 4.3.
The CWE number of CVE-2023-43664 is 269.
You can find more information about CVE-2023-43664 in the following references: [reference 1](https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j), [reference 2](https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762), [reference 3](https://github.com/advisories/GHSA-gvrg-62jp-rf7j).