GMS-2020-573: PrestaShop autoupgrade module ZIP archives were vulnerable from CVE-2017-9841

January 8, 2020

We have identified that some autoupgrade module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE.

References

github.com/PrestaShop/autoupgrade/commit/ce96357ad3ff6278bb28dc225913e75c2f077a32
github.com/PrestaShop/autoupgrade/security/advisories/GHSA-wqq8-mqj9-697f
github.com/advisories/GHSA-wqq8-mqj9-697f

Code Behaviors & Features

Detect and mitigate GMS-2020-573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →