Latest Prestashop Vulnerabilities

CVE-2023-48926
An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status.
Prestashop Advanced Loyalty Program<2.3.4
CVE-2024-21628
XSS can be stored in DB from "add a message form" in order detail page (FO)
composer/prestashop/prestashop<8.1.3
Prestashop Prestashop<8.1.3
<8.1.3
CVE-2024-21627
Some attribute not escaped in Validate::isCleanHTML method
composer/prestashop/prestashop<1.7.8.11
composer/prestashop/prestashop>=8.0.0-beta.1<8.1.3
Prestashop Prestashop<1.7.8.11
Prestashop Prestashop>=8.0.0<8.1.3
<1.7.8.11
>=8.0.0<8.1.3
CVE-2023-47110
Any value can be changed in the configuration table by an employee having access to block reassurance module
Prestashop Customer Reassurance Block<5.1.4
composer/prestashop/blockreassurance<=5.1.3
CVE-2023-47109
PrestaShop blockreassurance BO User can remove any file from server when adding a and deleting a block
composer/prestashop/blockreassurance<=5.1.3
Prestashop Customer Reassurance Block<5.1.4
CVE-2023-36263
Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be exe...
Prestashop Opartlimitquantity<1.4.6
CVE-2023-43663
PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to ...
Prestashop Prestashop<8.1.2
CVE-2023-43664
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListF...
Prestashop Prestashop<8.1.2
CVE-2022-45448
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically creat...
Prestashop M4 Pdf<=3.2.3
CVE-2022-45447
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, ret...
Prestashop M4 Pdf<=3.2.3
CVE-2023-39528
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project i...
Prestashop Prestashop<8.1.1
CVE-2023-39530
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this iss...
Prestashop Prestashop<8.1.1
composer/prestashop/prestashop<=8.1.0
CVE-2023-39529
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8....
Prestashop Prestashop<8.1.1
composer/prestashop/prestashop<=8.1.0
CVE-2023-39525
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a sp...
Prestashop Prestashop<8.1.1
CVE-2023-39527
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5,...
Prestashop Prestashop<1.7.8.10
Prestashop Prestashop>=8.0.0<8.0.5
Prestashop Prestashop=8.1.0
CVE-2023-39526
### Impact Remote code execution through SQL injection and arbitrary file write in back office ### Patches 1.7.8.10 8.0.5 8.1.1 ### Found by Truff (via yeswehack) ### Workarounds none ### Referenc...
Prestashop Prestashop<1.7.8.10
Prestashop Prestashop>=8.0.0<8.0.5
Prestashop Prestashop=8.1.0
CVE-2023-39524
### Impact SQL injection possible in product search field, in BO's product page ### Patches 8.1.1 ### Found by Aleksey Solovev (Positive Technologies) ### Workarounds none ### References none
composer/prestashop/prestashop<=8.1.0
Prestashop Prestashop<8.1.1
CVE-2023-33777
An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24 allows attackers to execute a directory traversal attack.
Prestashop amazon<5.2.24
CVE-2023-30153
An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via th...
Prestashop Payplug>=3.6.0<3.8.2
CVE-2023-30151
A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter.
Prestashop Prestashop<3.1.10
CVE-2023-30149
SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop...
Ebewe City Autocomplete<1.8.12
Prestashop Prestashop=1.5.0.0
Prestashop Prestashop=1.6.0.0
Ebewe City Autocomplete<2.0.3
Prestashop Prestashop=1.7.0.0
CVE-2023-30192
Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find().
Prestashop Possearchproducts=1.7
CVE-2023-30194
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().
Prestashop Poststaticfooter<=1.0.0
CVE-2023-30282
PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal in...
Prestashop Scexportcustomers<=3.6.1
CVE-2023-30838
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-si...
Prestashop Prestashop<1.7.8.9
Prestashop Prestashop>=8.0.0<8.0.4
CVE-2023-30839
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even withou...
Prestashop Prestashop<1.7.8.9
Prestashop Prestashop>=8.0.0<8.0.4
CVE-2023-30545
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily rea...
Prestashop Prestashop<1.7.8.9
Prestashop Prestashop>=8.0.0<8.0.4
CVE-2023-27570
The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie.
Prestashop Eo Tags>=1.2.0<1.4.19
CVE-2023-27569
The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header.
Prestashop Eo Tags>=1.2.0<1.3.0
CVE-2023-25206
PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection.
Prestashop Advanced Reviews<3.6.2
CVE-2023-25207
PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection via dpdfrance/ajax.php.
Prestashop Dpd France<6.1.3
CVE-2023-25170
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attrib...
Prestashop Prestashop<8.0.1
CVE-2023-24763
In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user can perform SQL injection in versions up to 2.13.0.
Prestashop Xen Forum<2.13.0
CVE-2022-46158
PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload dire...
Prestashop Prestashop<1.7.8.8
CVE-2022-35933
This package is a PrestaShop module that allows users to post reviews and rate products. There is a vulnerability where the attacker could steal an administrator's cookie. The issue is fixed in versio...
Prestashop Productcomments<5.0.2
CVE-2022-31181
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function ...
Prestashop Prestashop>=1.6.0.10<1.7.8.7
CVE-2022-21686
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy la...
Prestashop Prestashop>=1.7.0.0<=1.7.8.3
CVE-2012-20001
PrestaShop before 1.5.2.0 allows XSS via the `<object data='data:text/html` substring in the message field.
Prestashop Prestashop<1.5.2
CVE-2021-43789
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. T...
Prestashop Prestashop>=1.7.5.0<1.7.8.2
CVE-2021-21418
ps_emailsubscription is a newsletter subscription module for the PrestaShop platform. An employee can inject javascript in the newsletter condition field that will then be executed on the front office...
Prestashop Ps Emailsubscription>=2.6.0<2.6.1
CVE-2021-21398
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fix...
Prestashop Prestashop>=1.7.7.0<1.7.7.3
CVE-2021-21308
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes custom...
Prestashop Prestashop>1.5.0.0<1.7.7.2
CVE-2021-21302
Prestashop Prestashop>1.5.0.0<1.7.7.2
CVE-2021-3110
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
Prestashop Prestashop=1.7.7.0
CVE-2020-26248
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
Prestashop Productcomments<4.2.1
CVE-2020-26225
In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The problem was introduced in version 4.0.0 ...
PrestaShop Product Comments>=4.0.0<4.2.0
CVE-2020-26224
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an o...
Prestashop Prestashop<1.7.6.9
CVE-2020-15160
Prestashop Prestashop>=1.7.5.0<1.7.6.8
CVE-2020-15161
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8
Prestashop Prestashop>=1.6.0.4<1.7.6.8
CVE-2020-15178
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, po...
Prestashop Contactform<4.3.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203