Filtered by vendor Prestashop
Subscriptions
Total
121 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30839 | 1 Prestashop | 1 Prestashop | 2024-08-02 | 10 Critical |
| PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds. | ||||
| CVE-2023-30545 | 1 Prestashop | 1 Prestashop | 2024-08-02 | 7.7 High |
| PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9 | ||||
| CVE-2023-30282 | 1 Prestashop | 1 Scexportcustomers | 2024-08-02 | 7.5 High |
| PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table. | ||||
| CVE-2023-30153 | 1 Prestashop | 1 Payplug | 2024-08-02 | 9.8 Critical |
| An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller. | ||||
| CVE-2023-30194 | 1 Prestashop | 1 Poststaticfooter | 2024-08-02 | 9.8 Critical |
| Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook(). | ||||
| CVE-2023-30149 | 2 Ebewe, Prestashop | 2 City Autocomplete, Prestashop | 2024-08-02 | 9.8 Critical |
| SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller. | ||||
| CVE-2023-30192 | 1 Prestashop | 1 Possearchproducts | 2024-08-02 | 9.8 Critical |
| Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find(). | ||||
| CVE-2023-30151 | 1 Prestashop | 1 Prestashop | 2024-08-02 | 9.8 Critical |
| A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter. | ||||
| CVE-2023-27569 | 1 Prestashop | 1 Eo Tags | 2024-08-02 | 9.8 Critical |
| The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header. | ||||
| CVE-2023-27570 | 1 Prestashop | 1 Eo Tags | 2024-08-02 | 9.8 Critical |
| The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie. | ||||
| CVE-2023-25207 | 1 Prestashop | 1 Dpd France | 2024-08-02 | 9.8 Critical |
| PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection via dpdfrance/ajax.php. | ||||
| CVE-2023-25206 | 1 Prestashop | 1 Advanced Reviews | 2024-08-02 | 8.8 High |
| PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection. | ||||
| CVE-2023-25170 | 1 Prestashop | 1 Prestashop | 2024-08-02 | 5 Medium |
| PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1. | ||||
| CVE-2023-24763 | 1 Prestashop | 1 Xen Forum | 2024-08-02 | 8.8 High |
| In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user can perform SQL injection in versions up to 2.13.0. | ||||
| CVE-2024-33271 | 1 Prestashop | 1 Fme | 2024-08-02 | 7.5 High |
| An issue in FME Modules eventsmanager before 4.4.0 allows an attacker to obtain sensitive information from the ps_customer component. | ||||
| CVE-2024-33270 | 1 Prestashop | 1 Prestashop | 2024-08-02 | N/A |
| An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component. | ||||
| CVE-2024-33276 | 1 Prestashop | 1 Prestashop | 2024-08-02 | 9.8 Critical |
| SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. | ||||
| CVE-2024-33272 | 1 Prestashop | 1 Prestashop | 2024-08-02 | 6.8 Medium |
| SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components. | ||||
| CVE-2024-26129 | 1 Prestashop | 1 Prestashop | 2024-08-01 | 5.8 Medium |
| PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. | ||||
| CVE-2024-21627 | 1 Prestashop | 1 Prestashop | 2024-08-01 | 8.1 High |
| PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. | ||||