Filtered by vendor Prestashop
Subscribe
Total
106 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-1175 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the layered_price_slider parameter. | |||||
| CVE-2012-6641 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4.7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to "parameter names and values." | |||||
| CVE-2012-5801 | 1 Prestashop | 2 Ebay, Prestashop | 2024-11-21 | 5.8 MEDIUM | N/A |
| The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. | |||||
| CVE-2012-5800 | 1 Prestashop | 2 Ebay Module, Prestashop | 2024-11-21 | 5.8 MEDIUM | N/A |
| The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2012-5799 | 2 Prestashop, Presto-changeo | 2 Prestashop, Canadapost | 2024-11-21 | 5.8 MEDIUM | N/A |
| The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. | |||||
| CVE-2011-4545 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter. | |||||
| CVE-2011-4544 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville, (6) CP, (7) Poids, (8) Action, or (9) num parameter to prestashop/modules/mondialrelay/googlemap.php; (10) the num_mode parameter to modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) the Expedition parameter to modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php; or the (12) folder or (13) name parameter to admin/ajaxfilemanager/ajax_save_text.php. | |||||
| CVE-2011-3796 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 5.0 MEDIUM | N/A |
| PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by product-sort.php and certain other files. | |||||
| CVE-2008-6503 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php. | |||||
| CVE-2008-5791 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution before 1.1 Beta 2 (aka 1.1.0.1) have unknown impact and attack vectors, related to the (1) bankwire module, (2) cheque module, and other components. | |||||
| CVE-2024-41651 | 1 Prestashop | 1 Prestashop | 2024-10-09 | N/A | 8.1 HIGH |
| An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). | |||||
| CVE-2023-36263 | 1 Prestashop | 1 Opartlimitquantity | 2024-09-06 | N/A | 9.8 CRITICAL |
| Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | |||||
| CVE-2024-36684 | 1 Prestashop | 1 Pk Customlinks | 2024-08-19 | N/A | 9.8 CRITICAL |
| In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | |||||
| CVE-2023-48926 | 1 Prestashop | 1 Advanced Loyalty Program | 2024-02-05 | N/A | 5.3 MEDIUM |
| An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. | |||||
| CVE-2023-39528 | 1 Prestashop | 1 Prestashop | 2024-02-05 | N/A | 8.6 HIGH |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39529 | 1 Prestashop | 1 Prestashop | 2024-02-05 | N/A | 9.1 CRITICAL |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39530 | 1 Prestashop | 1 Prestashop | 2024-02-05 | N/A | 9.1 CRITICAL |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39527 | 1 Prestashop | 1 Prestashop | 2024-02-05 | N/A | 6.1 MEDIUM |
| PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. | |||||
| CVE-2023-39524 | 1 Prestashop | 1 Prestashop | 2024-02-05 | N/A | 9.8 CRITICAL |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-30151 | 1 Prestashop | 1 Prestashop | 2024-02-05 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter. | |||||