Filtered by vendor Prestashop
Subscriptions
Total
124 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30282 | 1 Prestashop | 1 Scexportcustomers | 2025-01-29 | 7.5 High |
| PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table. | ||||
| CVE-2023-30194 | 1 Prestashop | 1 Poststaticfooter | 2025-01-27 | 9.8 Critical |
| Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook(). | ||||
| CVE-2023-30192 | 1 Prestashop | 1 Possearchproducts | 2025-01-27 | 9.8 Critical |
| Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find(). | ||||
| CVE-2024-34716 | 1 Prestashop | 1 Prestashop | 2025-01-21 | 9.7 Critical |
| PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag. | ||||
| CVE-2024-34717 | 1 Prestashop | 1 Prestashop | 2025-01-21 | 5.3 Medium |
| PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. | ||||
| CVE-2024-26129 | 1 Prestashop | 1 Prestashop | 2025-01-17 | 5.8 Medium |
| PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. | ||||
| CVE-2023-31672 | 1 Prestashop | 1 Prestashop | 2024-12-12 | 9.8 Critical |
| In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability. | ||||
| CVE-2024-36626 | 1 Prestashop | 1 Prestashop | 2024-11-29 | 5.3 Medium |
| In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. | ||||
| CVE-2024-36684 | 1 Prestashop | 1 Pk Customlinks | 2024-11-21 | 9.8 Critical |
| In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | ||||
| CVE-2024-33276 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 9.8 Critical |
| SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. | ||||
| CVE-2024-33272 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.8 Medium |
| SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components. | ||||
| CVE-2024-33271 | 1 Prestashop | 1 Fme | 2024-11-21 | 7.5 High |
| An issue in FME Modules eventsmanager before 4.4.0 allows an attacker to obtain sensitive information from the ps_customer component. | ||||
| CVE-2024-33270 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 High |
| An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component. | ||||
| CVE-2024-21628 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 5.4 Medium |
| PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue. | ||||
| CVE-2024-21627 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 8.1 High |
| PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. | ||||
| CVE-2023-48926 | 1 Prestashop | 1 Advanced Loyalty Program | 2024-11-21 | 5.3 Medium |
| An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. | ||||
| CVE-2023-47110 | 1 Prestashop | 1 Customer Reassurance Block | 2024-11-21 | 9.1 Critical |
| blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4. | ||||
| CVE-2023-47109 | 1 Prestashop | 1 Customer Reassurance Block | 2024-11-21 | 5.5 Medium |
| PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4. | ||||
| CVE-2023-43664 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 Medium |
| PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. | ||||
| CVE-2023-43663 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 6.3 Medium |
| PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue. | ||||