GMS-2020-574: PrestaShop gamification module ZIP archives were vulnerable from CVE-2017-9841

January 8, 2020

We have identified that some gamification module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE.

References

build.prestashop.com/news/critical-security-vulnerability-in-prestashop-modules/
github.com/PrestaShop/gamification/commit/5044bda903a7ea9596c21faa2b9a42244763568c
github.com/PrestaShop/gamification/security/advisories/GHSA-769f-539v-f5jg
github.com/advisories/GHSA-769f-539v-f5jg

Code Behaviors & Features

Detect and mitigate GMS-2020-574 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →