Filtered by vendor Prestashop
Subscribe
Total
115 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24763 | 1 Prestashop | 1 Xen Forum | 2025-03-07 | N/A | 8.8 HIGH |
| In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user can perform SQL injection in versions up to 2.13.0. | |||||
| CVE-2023-25207 | 1 Prestashop | 1 Dpd France | 2025-03-03 | N/A | 9.8 CRITICAL |
| PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection via dpdfrance/ajax.php. | |||||
| CVE-2023-27569 | 1 Prestashop | 1 Eo Tags | 2025-02-26 | N/A | 9.8 CRITICAL |
| The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header. | |||||
| CVE-2023-27570 | 1 Prestashop | 1 Eo Tags | 2025-02-26 | N/A | 9.8 CRITICAL |
| The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie. | |||||
| CVE-2023-30149 | 2 Ebewe, Prestashop | 2 City Autocomplete, Prestashop | 2025-01-31 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller. | |||||
| CVE-2023-30282 | 1 Prestashop | 1 Scexportcustomers | 2025-01-29 | N/A | 7.5 HIGH |
| PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table. | |||||
| CVE-2023-30194 | 1 Prestashop | 1 Poststaticfooter | 2025-01-27 | N/A | 9.8 CRITICAL |
| Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook(). | |||||
| CVE-2023-30192 | 1 Prestashop | 1 Possearchproducts | 2025-01-27 | N/A | 9.8 CRITICAL |
| Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find(). | |||||
| CVE-2024-34716 | 1 Prestashop | 1 Prestashop | 2025-01-21 | N/A | 9.6 CRITICAL |
| PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag. | |||||
| CVE-2024-34717 | 1 Prestashop | 1 Prestashop | 2025-01-21 | N/A | 5.3 MEDIUM |
| PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. | |||||
| CVE-2024-26129 | 1 Prestashop | 1 Prestashop | 2025-01-17 | N/A | 5.8 MEDIUM |
| PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. | |||||
| CVE-2024-36684 | 1 Prestashop | 1 Pk Customlinks | 2024-11-21 | N/A | 9.8 CRITICAL |
| In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | |||||
| CVE-2023-48926 | 1 Prestashop | 1 Advanced Loyalty Program | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. | |||||
| CVE-2023-47110 | 1 Prestashop | 1 Customer Reassurance Block | 2024-11-21 | N/A | 9.1 CRITICAL |
| blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4. | |||||
| CVE-2023-47109 | 1 Prestashop | 1 Customer Reassurance Block | 2024-11-21 | N/A | 5.5 MEDIUM |
| PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4. | |||||
| CVE-2023-43664 | 1 Prestashop | 1 Prestashop | 2024-11-21 | N/A | 4.3 MEDIUM |
| PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. | |||||
| CVE-2023-43663 | 1 Prestashop | 1 Prestashop | 2024-11-21 | N/A | 6.3 MEDIUM |
| PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-39530 | 1 Prestashop | 1 Prestashop | 2024-11-21 | N/A | 6.5 MEDIUM |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39529 | 1 Prestashop | 1 Prestashop | 2024-11-21 | N/A | 6.7 MEDIUM |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39528 | 1 Prestashop | 1 Prestashop | 2024-11-21 | N/A | 6.8 MEDIUM |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||