Bitnami package

prestashop

pkg:bitnami/prestashop

Vulnerabilities (29)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44212	Cri	9.3	< 8.2.6	8.2.6	May 14, 2026	PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious em
CVE-2026-33674	Low	2.0	< 8.2.5	8.2.5	Mar 26, 2026	PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
CVE-2026-33673	Hig	7.6	< 8.2.5	8.2.5	Mar 26, 2026	PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously exist
CVE-2026-25597		—	< 8.2.4	8.2.4	Feb 6, 2026	PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in
CVE-2025-51586		—	< 8.2.1	8.2.1	Sep 8, 2025	An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
CVE-2025-25692		—	>= 8.2.0, < 9.0.0	9.0.0	Jul 30, 2025	A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
CVE-2025-25691		—	>= 8.2.0, < 9.0.0	9.0.0	Jul 30, 2025	A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
CVE-2024-36626		—	>= 8.1.4, < 8.1.6	8.1.6	Nov 29, 2024	In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.
CVE-2024-41651		—	< 9.0.0	9.0.0	Aug 12, 2024	An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admi
CVE-2024-34717		—	>= 8.1.5, < 8.1.6	8.1.6	May 14, 2024	PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
CVE-2024-34716		—	>= 8.1.0, < 8.1.6	8.1.6	May 14, 2024	PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature fl
CVE-2024-26129		—	>= 8.1.0, < 8.1.5	8.1.5	Feb 19, 2024	PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.
CVE-2024-21628		—	< 8.1.3	8.1.3	Jan 2, 2024	PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to
CVE-2024-21627		—	>= 8.0.0, < 8.1.3	8.1.3	Jan 2, 2024	PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain
CVE-2023-43664		—	< 8.1.2	8.1.2	Sep 28, 2023	PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `
CVE-2023-43663		—	< 8.1.2	8.1.2	Sep 28, 2023	PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issu
CVE-2023-39530		—	< 8.1.1	8.1.1	Aug 7, 2023	PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
CVE-2023-39529		—	< 8.1.1	8.1.1	Aug 7, 2023	PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
CVE-2023-39528		—	< 8.1.1	8.1.1	Aug 7, 2023	PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for thi
CVE-2023-39527		—	>= 8.0.0, < 8.0.5	8.0.5	Aug 7, 2023	PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

CVE-2026-44212CriMay 14, 2026
affected < 8.2.6fixed 8.2.6
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious em
CVE-2026-33674LowMar 26, 2026
affected < 8.2.5fixed 8.2.5
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
CVE-2026-33673HigMar 26, 2026
affected < 8.2.5fixed 8.2.5
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously exist
CVE-2026-25597Feb 6, 2026
affected < 8.2.4fixed 8.2.4
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in
CVE-2025-51586Sep 8, 2025
affected < 8.2.1fixed 8.2.1
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
CVE-2025-25692Jul 30, 2025
affected >= 8.2.0, < 9.0.0fixed 9.0.0
A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
CVE-2025-25691Jul 30, 2025
affected >= 8.2.0, < 9.0.0fixed 9.0.0
A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
CVE-2024-36626Nov 29, 2024
affected >= 8.1.4, < 8.1.6fixed 8.1.6
In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.
CVE-2024-41651Aug 12, 2024
affected < 9.0.0fixed 9.0.0
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admi
CVE-2024-34717May 14, 2024
affected >= 8.1.5, < 8.1.6fixed 8.1.6
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
CVE-2024-34716May 14, 2024
affected >= 8.1.0, < 8.1.6fixed 8.1.6
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature fl
CVE-2024-26129Feb 19, 2024
affected >= 8.1.0, < 8.1.5fixed 8.1.5
PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.
CVE-2024-21628Jan 2, 2024
affected < 8.1.3fixed 8.1.3
PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to
CVE-2024-21627Jan 2, 2024
affected >= 8.0.0, < 8.1.3fixed 8.1.3
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain
CVE-2023-43664Sep 28, 2023
affected < 8.1.2fixed 8.1.2
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `
CVE-2023-43663Sep 28, 2023
affected < 8.1.2fixed 8.1.2
PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issu
CVE-2023-39530Aug 7, 2023
affected < 8.1.1fixed 8.1.1
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
CVE-2023-39529Aug 7, 2023
affected < 8.1.1fixed 8.1.1
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
CVE-2023-39528Aug 7, 2023
affected < 8.1.1fixed 8.1.1
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for thi
CVE-2023-39527Aug 7, 2023
affected >= 8.0.0, < 8.0.5fixed 8.0.5
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

Page 1 of 2