Unrated severityNVD Advisory· Published Apr 20, 2020· Updated Aug 4, 2024
Open redirection when using back parameter of PrestaShop
CVE-2020-5270
Description
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5
Affected products
1- Range: >= 1.7.6.0, < 1.7.6.5
Patches
2270ed6f80fadMerge pull request #18659 from sowbiba/changelog-1765
1 file changed · +41 −0
docs/CHANGELOG.txt+41 −0 modified@@ -24,6 +24,47 @@ International Registered Trademark & Property of PrestaShop SA Release Notes for PrestaShop 1.7 -------------------------------- +#################################### +# v1.7.6.5 - (2020-04-17) +#################################### +- Back Office: + - Bug fix: + - #18637: Fix sidebar not displayed in BO Add employee page (by @Progi1984) + - #18607: Fix wrong number of "Last emails" in BO - Customer View page (by @PululuK) + - #17920: Wrong redirection when using the quick search for a category (by @PululuK) + - #18064: Fix error when trying to translate Serbian using the BO interface (by @eternoendless) +- Front Office: + - Bug fix: + - #18633: Convert cart rule value when order currency is different (by @sowbiba) + - #18493: Change product redirection rules to redirect to valid attribute url (by @jolelievre) + - #18103: Duplicate address when submitting a form with errors (by @PierreRambaud) +- Core: + - Improvement: + - #18638: Update version to 1.7.6.5 (by @PierreRambaud) + - Bug fix: + - #GHSA-cvjj-grfv-f56w - Improper access control on product page with combinations, attachments and specific prices (by @PierreRambaud) + - #GHSA-4wxg-33h3-3w5r - Improper access control on product attributes page (by @PierreRambaud) + - #GHSA-r6rp-6gv6-r9hq - Improper access control on customers search (by @PierreRambaud) + - #GHSA-74vp-ww64-w2gm - Improper Access Control (by @PierreRambaud) + - #GHSA-98j8-hvjv-x47j - Reflected XSS related in import page (by @PierreRambaud) + - #GHSA-j3r6-33hf-m8wh - Reflected XSS with back parameter (by @PierreRambaud) + - #GHSA-mrpj-67mq-3fr5 - Reflected XSS on Exception page (by @PierreRambaud) + - #GHSA-q6pr-42v5-v97q - Reflected XSS on AdminCarts page (by @PierreRambaud) + - #GHSA-rpg3-f23r-jmqv - Reflected XSS on Search page (by @PierreRambaud) + - #GHSA-m2x6-c2c6-pjrx - Reflected XSS with dashboard calendar (by @PierreRambaud) + - #GHSA-375w-q56h-h7qc - Open redirection when using back parameter (by @PierreRambaud) + - #GHSA-87jh-7xpg-6v93 - Reflected XSS on AdminFeatures page (by @PierreRambaud) + - #GHSA-7fmr-5vcc-329j - Reflected XSS on AdminAttributesGroups page (by @PierreRambaud) + - #GHSA-48vj-vvr6-jj4f - Reflected XSS in security compromised page (by @PierreRambaud) + +- Installer: + - Bug fix: + - #18491: Installation under CLI doesn't take BASE_URI and Apache rewrite in consideration (by @PierreRambaud) + - #18451: Use scandir instead of readdir to get sorted entities (by @PierreRambaud) +- Tests: + - Bug fix: + - #18309: Change test fixtures that need to be in the future (by @jolelievre) + #################################### # v1.7.6.4 - (2020-03-02) ####################################
cd2219dca499Merge pull request from GHSA-375w-q56h-h7qc
3 files changed · +88 −21
src/PrestaShopBundle/EventListener/BackUrlRedirectResponseListener.php+19 −2 modified@@ -26,6 +26,8 @@ namespace PrestaShopBundle\EventListener; +use Employee; +use PrestaShop\PrestaShop\Adapter\LegacyContext; use PrestaShop\PrestaShop\Core\Util\Url\BackUrlProvider; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\Request; @@ -41,17 +43,32 @@ final class BackUrlRedirectResponseListener */ private $backUrlProvider; + /** + * @var int + */ + private $employeeId; + /** * @param BackUrlProvider $backUrlProvider */ public function __construct( - BackUrlProvider $backUrlProvider - ) { + BackUrlProvider $backUrlProvider, + LegacyContext $legacyContext + ) { $this->backUrlProvider = $backUrlProvider; + $context = $legacyContext->getContext(); + if (null !== $context && $context->employee instanceof Employee) { + $this->employeeId = $context->employee->id; + } } public function onKernelResponse(FilterResponseEvent $event) { + // No need to continue because the employee is not connected + if (empty($this->employeeId)) { + return; + } + $currentRequest = $event->getRequest(); $originalResponse = $event->getResponse();
src/PrestaShopBundle/Resources/config/services/bundle/event_listener.yml+1 −0 modified@@ -89,6 +89,7 @@ services: class: PrestaShopBundle\EventListener\BackUrlRedirectResponseListener arguments: - '@prestashop.core.uti.back_url_provider' + - "@prestashop.adapter.legacy.context" tags: - { name: kernel.event_listener, event: kernel.response, method: onKernelResponse }
tests/Unit/PrestaShopBundle/EventListener/BackUrlRedirectResponseListenerTest.php+68 −19 modified@@ -26,7 +26,10 @@ namespace Tests\Unit\PrestaShopBundle\EventListener; +use Employee; +use Context; use PHPUnit\Framework\TestCase; +use PrestaShop\PrestaShop\Adapter\LegacyContext; use PrestaShop\PrestaShop\Core\Util\Url\BackUrlProvider; use PrestaShopBundle\EventListener\BackUrlRedirectResponseListener; use Symfony\Component\HttpFoundation\RedirectResponse; @@ -51,19 +54,47 @@ protected function setUp() ; } - public function testItSetsResponseWithBackUrl() + protected function getLegacyContextMock($isConnected = true) { - $expectedUrl = 'http://localhost'; + $legacyContextMock = $this->getMockBuilder(LegacyContext::class) + ->setMethods(array( + 'getContext', + )) + ->getMock(); + + $employeeMock = $this->getMockBuilder(Employee::class)->getMock(); + $employeeMock->id = $isConnected ? 1 : null; + + $contextMock = $this->getMockBuilder(Context::class)->getMock(); + $contextMock->employee = $employeeMock; + + $legacyContextMock->expects($this->any())->method('getContext')->willReturn($contextMock); + + return $legacyContextMock; + } - $backUrlProvider = $this + protected function getBackUrlProviderMock($backUrl) + { + $backUrlProviderMock = $this ->getMockBuilder(BackUrlProvider::class) ->getMock() ; - $backUrlProvider + $backUrlProviderMock ->method('getBackUrl') - ->willReturn($expectedUrl) + ->willReturn($backUrl) ; + return $backUrlProviderMock; + } + + public function testItSetsResponseWithBackUrl() + { + $expectedUrl = 'http://localhost'; + + $legacyContextMock = $this->getLegacyContextMock(); + $backUrlProviderMock = $this->getBackUrlProviderMock( + $expectedUrl + ); $this->filterResponseEventMock ->method('getResponse') @@ -75,7 +106,10 @@ public function testItSetsResponseWithBackUrl() ->willReturn(new Request()) ; - $responseListener = new BackUrlRedirectResponseListener($backUrlProvider); + $responseListener = new BackUrlRedirectResponseListener( + $backUrlProviderMock, + $legacyContextMock + ); $responseListener->onKernelResponse($this->filterResponseEventMock); @@ -87,19 +121,14 @@ public function testItSetsResponseWithBackUrl() public function testWhenRequestAndResponseUrlsAreEqualItDoesNotModifyOriginalResponse() { - $requestAndResponseUrl = 'http://localhost'; - - $backUrlProvider = $this - ->getMockBuilder(BackUrlProvider::class) - ->getMock() - ; + $expectedUrl = 'http://localhost'; - $backUrlProvider - ->method('getBackUrl') - ->willReturn('http://localhost-not-called.dev') - ; + $legacyContextMock = $this->getLegacyContextMock(); + $backUrlProviderMock = $this->getBackUrlProviderMock( + 'http://localhost-not-called.dev' + ); - $originalRedirectResponse = new RedirectResponse($requestAndResponseUrl); + $originalRedirectResponse = new RedirectResponse($expectedUrl); $this->filterResponseEventMock ->method('getResponse') @@ -112,20 +141,40 @@ public function testWhenRequestAndResponseUrlsAreEqualItDoesNotModifyOriginalRes $currentRequest ->method('getRequestUri') - ->willReturn($requestAndResponseUrl) + ->willReturn($expectedUrl) ; $this->filterResponseEventMock ->method('getRequest') ->willReturn($currentRequest) ; - $responseListener = new BackUrlRedirectResponseListener($backUrlProvider); + $responseListener = new BackUrlRedirectResponseListener( + $backUrlProviderMock, + $legacyContextMock + ); $responseListener->onKernelResponse($this->filterResponseEventMock); $actual = $this->filterResponseEventMock->getResponse(); $this->assertEquals($originalRedirectResponse, $actual); } + + public function testWhenEmployeeIsNotConnected() + { + $expectedUrl = 'http://localhost'; + + $legacyContextMock = $this->getLegacyContextMock(false); + $backUrlProviderMock = $this->getBackUrlProviderMock( + 'http://localhost-not-called.dev' + ); + + $responseListener = new BackUrlRedirectResponseListener( + $backUrlProviderMock, + $legacyContextMock + ); + + $this->assertNull($responseListener->onKernelResponse($this->filterResponseEventMock)); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458mitrex_refsource_MISC
- github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qcmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.