Filtered by vendor Prestashop
Subscriptions
Total
124 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-24763 | 1 Prestashop | 1 Xen Forum | 2025-03-07 | 8.8 High |
| In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user can perform SQL injection in versions up to 2.13.0. | ||||
| CVE-2023-25207 | 1 Prestashop | 1 Dpd France | 2025-03-03 | 9.8 Critical |
| PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection via dpdfrance/ajax.php. | ||||
| CVE-2023-25206 | 1 Prestashop | 1 Advanced Reviews | 2025-02-27 | 8.8 High |
| PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection. | ||||
| CVE-2023-27569 | 1 Prestashop | 1 Eo Tags | 2025-02-26 | 9.8 Critical |
| The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header. | ||||
| CVE-2023-27570 | 1 Prestashop | 1 Eo Tags | 2025-02-26 | 9.8 Critical |
| The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie. | ||||
| CVE-2023-25170 | 1 Prestashop | 1 Prestashop | 2025-02-25 | 5 Medium |
| PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1. | ||||
| CVE-2023-30545 | 1 Prestashop | 1 Prestashop | 2025-02-03 | 7.7 High |
| PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9 | ||||
| CVE-2023-30838 | 1 Prestashop | 1 Prestashop | 2025-02-03 | 8.6 High |
| PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue. | ||||
| CVE-2023-30839 | 1 Prestashop | 1 Prestashop | 2025-02-03 | 10 Critical |
| PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds. | ||||
| CVE-2023-30149 | 2 Ebewe, Prestashop | 2 City Autocomplete, Prestashop | 2025-01-31 | 9.8 Critical |
| SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller. | ||||
| CVE-2023-30282 | 1 Prestashop | 1 Scexportcustomers | 2025-01-29 | 7.5 High |
| PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table. | ||||
| CVE-2023-30194 | 1 Prestashop | 1 Poststaticfooter | 2025-01-27 | 9.8 Critical |
| Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook(). | ||||
| CVE-2023-30192 | 1 Prestashop | 1 Possearchproducts | 2025-01-27 | 9.8 Critical |
| Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find(). | ||||
| CVE-2024-34716 | 1 Prestashop | 1 Prestashop | 2025-01-21 | 9.7 Critical |
| PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag. | ||||
| CVE-2024-34717 | 1 Prestashop | 1 Prestashop | 2025-01-21 | 5.3 Medium |
| PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. | ||||
| CVE-2024-26129 | 1 Prestashop | 1 Prestashop | 2025-01-17 | 5.8 Medium |
| PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. | ||||
| CVE-2023-31672 | 1 Prestashop | 1 Prestashop | 2024-12-12 | 9.8 Critical |
| In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability. | ||||
| CVE-2024-36626 | 1 Prestashop | 1 Prestashop | 2024-11-29 | 5.3 Medium |
| In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. | ||||
| CVE-2024-36684 | 1 Prestashop | 1 Pk Customlinks | 2024-11-21 | 9.8 Critical |
| In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | ||||
| CVE-2024-33276 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 9.8 Critical |
| SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. | ||||