免费扫描
MEDIUMCVE-2021-21308CVSS 6.1

软注销的会话管理不当

平台

php

组件

prestashop

修复版本

1.5.1

AI Confidence: highNVDEPSS 0.3%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2021-21308 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PrestaShop, a popular open-source e-commerce platform. This flaw allows an attacker to initiate unauthorized requests on behalf of the server, potentially leading to sensitive data exposure or further exploitation. The vulnerability affects versions 1.5.0 through 1.7.7.1, and a fix is available in version 1.7.7.2.

影响与攻击场景翻译中…

The SSRF vulnerability in PrestaShop allows an attacker to craft malicious requests that the server will execute. This can be exploited to access internal resources that are not directly accessible from the outside, such as internal APIs, databases, or even other systems within the same network. An attacker could potentially read sensitive configuration files, access customer data, or even trigger actions on other systems. The impact is amplified if the PrestaShop instance is deployed in an environment with privileged access or connected to other critical systems. While the description mentions 'executing customer commands,' the precise nature of this command execution requires further investigation, but the SSRF vector provides a significant attack surface.

利用背景翻译中…

CVE-2021-21308 was publicly disclosed on February 26, 2021. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting the SSRF vulnerability.

哪些人处于风险中翻译中…

PrestaShop installations running versions 1.5.0 through 1.7.7.1 are at risk. This includes e-commerce businesses relying on PrestaShop for their online storefronts, particularly those with limited security expertise or those who have not applied recent security updates. Shared hosting environments where multiple PrestaShop instances share the same server resources are also at increased risk.

检测步骤翻译中…

• php: Examine PrestaShop logs for unusual outbound HTTP requests, particularly those targeting internal resources or unexpected domains. Use grep to search for patterns indicative of SSRF attempts.

grep -i 'request_uri: internal_resource' /path/to/prestashop/var/logs/presta.log

• generic web: Monitor access logs for requests originating from the PrestaShop server to internal IP addresses or unusual domains. Use curl to test for SSRF by attempting to access internal resources through the PrestaShop instance.

curl -v http://localhost/internal_resource

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.31% (54% 百分位)

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N6.1MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityLow敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
低 — 可访问部分数据。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件prestashop
供应商PrestaShop
影响范围修复版本
>= 1.5.0, < 1.7.7.2 – >= 1.5.0, < 1.7.7.21.5.1

弱点分类 (CWE)

CWE-287

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2021-21308 is to upgrade PrestaShop to version 1.7.7.2 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict outbound network access from the PrestaShop server using a Web Application Firewall (WAF) or proxy to block suspicious requests. Carefully review and restrict the allowed protocols and domains that PrestaShop can access. Monitor PrestaShop logs for unusual outbound requests that could indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability and verifying that the request is blocked.

修复方法

将 PrestaShop 更新到 1.7.7.2 或更高版本。此更新修复了允许攻击者以客户身份执行命令的不正确的会话管理。建议在更新之前进行备份。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2021-21308 — SSRF in PrestaShop?

CVE-2021-21308 is a Server-Side Request Forgery (SSRF) vulnerability in PrestaShop versions 1.5.0 to 1.7.7.1, allowing attackers to initiate unauthorized requests.

Am I affected by CVE-2021-21308 in PrestaShop?

Yes, if you are running PrestaShop versions 1.5.0 through 1.7.7.1, you are vulnerable to this SSRF vulnerability.

How do I fix CVE-2021-21308 in PrestaShop?

Upgrade PrestaShop to version 1.7.7.2 or later to resolve the vulnerability. Implement WAF rules as a temporary workaround.

Is CVE-2021-21308 being actively exploited?

While there's no confirmed active exploitation, public proof-of-concept exploits exist, making exploitation possible.

Where can I find the official PrestaShop advisory for CVE-2021-21308?

Refer to the PrestaShop security advisory for detailed information and updates: https://blog.prestashop.com/security-vulnerability-ssrf-cve-2021-21308

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE