Total
82 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5285 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5286 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-15079 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6 | |||||
| CVE-2020-5279 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5 | |||||
| CVE-2020-5293 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5. | |||||
| CVE-2020-15081 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in the upload directory. | |||||
| CVE-2020-15082 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 7.5 HIGH | 8.8 HIGH |
| In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6 | |||||
| CVE-2020-11074 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6. | |||||
| CVE-2020-5269 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5 | |||||
| CVE-2013-4791 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
| PrestaShop before 1.4.11 allows Logistician, translators and other low level profiles/accounts to inject a persistent XSS vector on TinyMCE. | |||||
| CVE-2019-19594 | 2 Adobe, Prestashop | 2 Stock Api Integration, Prestashop | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file. | |||||
| CVE-2012-2517 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php. | |||||
| CVE-2020-5250 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 4.9 MEDIUM | 6.3 MEDIUM |
| In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4. | |||||
| CVE-2013-4792 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 3.5 LOW | 5.5 MEDIUM |
| PrestaShop before 1.4.11 allows logout CSRF. | |||||
| CVE-2019-19595 | 2 Adobe, Prestashop | 2 Stock Api Integration, Prestashop | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file. | |||||
| CVE-2013-6358 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
| PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory. | |||||
| CVE-2013-6295 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module | |||||
| CVE-2020-6632 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js. | |||||
| CVE-2019-13461 | 1 Prestashop | 1 Prestashop | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. | |||||
| CVE-2019-11876 | 2 Drupal, Prestashop | 2 Drupal, Prestashop | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. | |||||