CVE-2018-20717: PrestaShop PHP Object Injection
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85962%
CWE
Published
5/14/2022
Updated
10/6/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
prestashop/prestashop | composer | < 1.7.2.5 | 1.7.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper validation
of serialized data during order processing. PrestaShop's protection mechanism checked for '0:' followed by digits but missed '0:+' patterns. This suggests a regex-based validation
in a deserialization helper function
(like Tools::unSerialize
) was bypassed. The Tools
class is a common location for serialization utilities in PrestaShop, and the patched version 1.7.2.5
would have modified this validation
logic. The high confidence comes from the attack pattern (PHP object injection via unserialize
) and the documented bypass technique targeting serialization validation
.