In the module “Opart Devis” (opartdevis) up to version 4.0.2 unauthenticated attackers can have access to any user’s invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields.


  • CVE ID: CVE-2020-16194
  • Published at: 2020-06-07
  • Platform: PrestaShop
  • Product: opartdevis
  • Impacted release: < 4.0.2
  • Product author: Opart
  • Weakness: CWE-639
  • Severity: high (7.5)


Due to a broken access control, an unauthenticated attackers can exploit an IDOR to get delivery_address and invoice_address fields.

Note : We didn’t do semver versionning before 2018 - so consider all versions which matched this pattern : XX-XX-XX to be updated without delay.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: None
  • Availability: None

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

  • access to any user’s invoice and delivery address


  • It’s recommended to upgrade to the latest version of the module opartdevis.


Date Action
2021-04-02 Publish this security advisory

Opart thanks login-securite for its courtesy and its help.