Vendor CVEs
Prestashop
All CVEs
221 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-25691 | 0.00 | — | 0.01 | Jul 30, 2025 | A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | |||
| CVE-2024-36626 | 0.00 | — | 0.01 | Nov 29, 2024 | In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. | |||
| CVE-2024-36678 | 0.00 | — | 0.01 | Jun 19, 2024 | In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | |||
| CVE-2024-34717 | 0.00 | — | 0.01 | May 14, 2024 | PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. | |||
| CVE-2024-34716 | 0.00 | — | 0.56 | May 14, 2024 | PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature… | |||
| CVE-2024-28390 | 0.00 | — | 0.01 | Mar 14, 2024 | An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control. | |||
| CVE-2024-28391 | 0.00 | — | 0.01 | Mar 14, 2024 | SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProductAddToCart, getSearchProducts, and… | |||
| CVE-2024-25848 | 0.00 | — | 0.00 | Mar 8, 2024 | In the module "Ever Ultimate SEO" (everpsseo) <= 8.1.2 from Team Ever for PrestaShop, a guest can perform SQL injection in affected versions. | |||
| CVE-2024-25849 | 0.00 | — | 0.01 | Mar 8, 2024 | In the module "Make an offer" (makeanoffer) <= 1.7.1 from PrestaToolKit for PrestaShop, a guest can perform SQL injection via MakeOffers::checkUserExistingOffer()` and `MakeOffers::addUserOffer()` . | |||
| CVE-2024-25845 | 0.00 | — | 0.01 | Mar 8, 2024 | In the module "CD Custom Fields 4 Orders" (cdcustomfields4orders) <= 1.0.0 from Cleanpresta.com for PrestaShop, a guest can perform SQL injection in affected versions. | |||
| CVE-2024-25844 | 0.00 | — | 0.01 | Mar 3, 2024 | An issue was discovered in Common-Services "So Flexibilite" (soflexibilite) module for PrestaShop before version 4.1.26, allows remote attackers to escalate privileges and obtain sensitive information via debug file. | |||
| CVE-2024-25839 | 0.00 | — | 0.00 | Mar 3, 2024 | An issue was discovered in Webbax "Super Newsletter" (supernewsletter) module for PrestaShop versions 1.4.21 and before, allows local attackers to escalate privileges and obtain sensitive information. | |||
| CVE-2024-25842 | 0.00 | — | 0.01 | Mar 3, 2024 | An issue was discovered in Presta World "Account Manager - Sales Representative & Dealers - CRM" (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sensitive information via the uploadLogo() and postProcess… | |||
| CVE-2024-25843 | 0.00 | — | 0.01 | Feb 27, 2024 | In the module "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions. | |||
| CVE-2024-25840 | 0.00 | — | 0.01 | Feb 27, 2024 | In the module "Account Manager | Sales Representative & Dealers | CRM" (prestasalesmanager) up to 9.0 from Presta World for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. | |||
| CVE-2024-25841 | 0.00 | — | 0.00 | Feb 27, 2024 | In the module "So Flexibilite" (soflexibilite) from Common-Services for PrestaShop < 4.1.26, a guest (authenticated customer) can perform Cross Site Scripting (XSS) injection. | |||
| CVE-2024-24309 | 0.00 | — | 0.01 | Feb 23, 2024 | In the module "Survey TMA" (ecomiz_survey_tma) up to version 2.0.0 from Ecomiz for PrestaShop, a guest can download personal information without restriction. | |||
| CVE-2024-24310 | 0.00 | — | 0.01 | Feb 23, 2024 | In the module "Generate barcode on invoice / delivery slip" (ecgeneratebarcode) from Ether Creation <= 1.2.0 for PrestaShop, a guest can perform SQL injection. | |||
| CVE-2024-26129 | 0.00 | — | 0.01 | Feb 19, 2024 | PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. | |||
| CVE-2023-50026 | 0.00 | — | 0.01 | Feb 9, 2024 | SQL injection vulnerability in Presta Monster "Multi Accessories Pro" (hsmultiaccessoriespro) module for PrestaShop versions 5.1.1 and before, allows remote attackers to escalate privileges and obtain sensitive information via the method HsAccessoriesGroupProductAbstract::getAcce… | |||
| CVE-2023-50061 | 0.00 | — | 0.01 | Feb 8, 2024 | PrestaShop Op'art Easy Redirect >= 1.3.8 and <= 1.3.12 is vulnerable to SQL Injection via Oparteasyredirect::hookActionDispatcher(). | |||
| CVE-2024-24303 | 0.00 | — | 0.01 | Feb 7, 2024 | SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGif… | |||
| CVE-2023-46351 | 0.00 | — | 0.01 | Jan 19, 2024 | In the module mib < 1.6.1 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The methods `mib::getManufacturersByCategory()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | |||
| CVE-2023-50028 | 0.00 | — | 0.01 | Jan 19, 2024 | In the module "Sliding cart block" (blockslidingcart) up to version 2.3.8 from PrestashopModules.eu for PrestaShop, a guest can perform SQL injection. | |||
| CVE-2023-50027 | 0.00 | — | 0.01 | Jan 5, 2024 | SQL Injection vulnerability in Buy Addons baproductzoommagnifier module for PrestaShop versions 1.0.16 and before, allows remote attackers to escalate privileges and gain sensitive information via BaproductzoommagnifierZoomModuleFrontController::run() method. | |||
| CVE-2024-21628 | 0.00 | — | 0.00 | Jan 2, 2024 | PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to… | |||
| CVE-2024-21627 | 0.00 | — | 0.01 | Jan 2, 2024 | PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11… | |||
| CVE-2023-46354 | 0.00 | — | 0.01 | Dec 6, 2023 | In the module "Orders (CSV, Excel) Export PRO" (ordersexport) < 5.2.0 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can access exports from the module which can lead to a leak of… | |||
| CVE-2023-48042 | 0.00 | — | 0.00 | Nov 28, 2023 | Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing filter version up to version 3.2.5, allows remote attackers to inject arbitrary JavaScript code. | |||
| CVE-2023-46355 | 0.00 | — | 0.01 | Nov 27, 2023 | In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules for PrestaShop, a guest can download personal information without restriction. Due to too permissive access control which does not force administrator to use password on feeds, a guest can access exports from the… | |||
| CVE-2023-46349 | 0.00 | — | 0.01 | Nov 27, 2023 | In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts) < 3.8.5 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `productsUpdateModel::getExportIds()` has sensitive SQL calls that can be executed with a trivial http call and… | |||
| CVE-2023-48188 | 0.00 | — | 0.01 | Nov 27, 2023 | SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4.6.12 allows a remote attacker to execute arbitrary code via a crafted script to the getModuleTranslation function. | |||
| CVE-2023-46357 | 0.00 | — | 0.01 | Nov 22, 2023 | In the module "Cross Selling in Modal Cart" (motivationsale) < 3.5.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `motivationsaleDataModel::getProductsByIds()` has sensitive SQL calls that can be executed with a trivial http call and… | |||
| CVE-2023-45377 | 0.00 | — | 0.01 | Nov 22, 2023 | In the module "Chronopost Official" (chronopost) for PrestaShop, a guest can perform SQL injection. The script PHP `cancelSkybill.php` own a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. | |||
| CVE-2023-45387 | 0.00 | — | 0.01 | Nov 17, 2023 | In the module "Product Catalog (CSV, Excel, XML) Export PRO" (exportproducts) in versions up to 5.0.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection via `exportProduct::_addDataToDb().` | |||
| CVE-2023-47110 | 0.00 | — | 0.00 | Nov 9, 2023 | blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in… | |||
| CVE-2023-47109 | 0.00 | — | 0.01 | Nov 8, 2023 | PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project… | |||
| CVE-2023-43984 | 0.00 | — | 0.01 | Nov 7, 2023 | Insecure permissions in Smart Soft advancedexport before v4.4.7 allow unauthenticated attackers to arbitrarily download user information from the ps_customer table. | |||
| CVE-2023-45380 | 0.00 | — | 0.01 | Nov 7, 2023 | In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal… | |||
| CVE-2023-46352 | 0.00 | — | 0.00 | Nov 2, 2023 | In the module "Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module" (facebookconversiontrackingplus) up to version 2.4.9 from Smart Modules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can… | |||
| CVE-2023-43139 | 0.00 | — | 0.01 | Oct 31, 2023 | An issue in franfinance before v.2.0.27 allows a remote attacker to execute arbitrary code via the validation.php, and controllers/front/validation.php components. | |||
| CVE-2023-27846 | 0.00 | — | 0.01 | Oct 31, 2023 | SQL injection vulnerability found in PrestaShop themevolty v.4.0.8 and before allow a remote attacker to gain privileges via the tvcmsblog, tvcmsvideotab, tvcmswishlist, tvcmsbrandlist, tvcmscategorychainslider, tvcmscategoryproduct, tvcmscategoryslider, tvcmspaymenticon,… | |||
| CVE-2023-46356 | 0.00 | — | 0.01 | Oct 31, 2023 | In the module "CSV Feeds PRO" (csvfeeds) before 2.6.1 from Bl Modules for PrestaShop, a guest can perform SQL injection. The method `SearchApiCsv::getProducts()` has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | |||
| CVE-2023-45378 | 0.00 | — | 0.01 | Oct 31, 2023 | In the module "PrestaBlog" (prestablog) version 4.4.7 and before from HDclic for PrestaShop, a guest can perform SQL injection. The script ajax slider_positions.php has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. | |||
| CVE-2023-46346 | 0.00 | — | 0.01 | Oct 25, 2023 | In the module "Product Catalog (CSV, Excel, XML) Export PRO" (exportproducts) in versions up to 4.1.1 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control… | |||
| CVE-2023-45379 | 0.00 | — | 0.01 | Oct 19, 2023 | In the module "Rotator Img" (posrotatorimg) in versions at least up to 1.1 from PosThemes for PrestaShop, a guest can perform SQL injection. | |||
| CVE-2023-45376 | 0.00 | — | 0.01 | Oct 19, 2023 | In the module "Carousels Pack - Instagram, Products, Brands, Supplier" (hicarouselspack) for PrestaShop up to version 1.5.0 from HiPresta for PrestaShop, a guest can perform SQL injection via HiCpProductGetter::getViewedProduct().` | |||
| CVE-2023-43986 | 0.00 | — | 0.01 | Oct 19, 2023 | DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken. | |||
| CVE-2023-45383 | 0.00 | — | 0.01 | Oct 18, 2023 | In the module "SoNice etiquetage" (sonice_etiquetage) up to version 2.5.9 from Common-Services for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control and a lack of control in the… | |||
| CVE-2023-45386 | 0.00 | — | 0.01 | Oct 17, 2023 | In the module extratabspro before version 2.2.8 from MyPresta.eu for PrestaShop, a guest can perform SQL injection via `extratabspro::searchcategory()`, `extratabspro::searchproduct()` and `extratabspro::searchmanufacturer().' |
- CVE-2025-25691Jul 30, 2025risk 0.00cvss —epss 0.01
A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
- CVE-2024-36626Nov 29, 2024risk 0.00cvss —epss 0.01
In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.
- CVE-2024-36678Jun 19, 2024risk 0.00cvss —epss 0.01
In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
- CVE-2024-34717May 14, 2024risk 0.00cvss —epss 0.01
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
- CVE-2024-34716May 14, 2024risk 0.00cvss —epss 0.56
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature…
- CVE-2024-28390Mar 14, 2024risk 0.00cvss —epss 0.01
An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control.
- CVE-2024-28391Mar 14, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProductAddToCart, getSearchProducts, and…
- CVE-2024-25848Mar 8, 2024risk 0.00cvss —epss 0.00
In the module "Ever Ultimate SEO" (everpsseo) <= 8.1.2 from Team Ever for PrestaShop, a guest can perform SQL injection in affected versions.
- CVE-2024-25849Mar 8, 2024risk 0.00cvss —epss 0.01
In the module "Make an offer" (makeanoffer) <= 1.7.1 from PrestaToolKit for PrestaShop, a guest can perform SQL injection via MakeOffers::checkUserExistingOffer()` and `MakeOffers::addUserOffer()` .
- CVE-2024-25845Mar 8, 2024risk 0.00cvss —epss 0.01
In the module "CD Custom Fields 4 Orders" (cdcustomfields4orders) <= 1.0.0 from Cleanpresta.com for PrestaShop, a guest can perform SQL injection in affected versions.
- CVE-2024-25844Mar 3, 2024risk 0.00cvss —epss 0.01
An issue was discovered in Common-Services "So Flexibilite" (soflexibilite) module for PrestaShop before version 4.1.26, allows remote attackers to escalate privileges and obtain sensitive information via debug file.
- CVE-2024-25839Mar 3, 2024risk 0.00cvss —epss 0.00
An issue was discovered in Webbax "Super Newsletter" (supernewsletter) module for PrestaShop versions 1.4.21 and before, allows local attackers to escalate privileges and obtain sensitive information.
- CVE-2024-25842Mar 3, 2024risk 0.00cvss —epss 0.01
An issue was discovered in Presta World "Account Manager - Sales Representative & Dealers - CRM" (prestasalesmanager) module for PrestaShop before version 9.0, allows remote attackers to escalate privilege and obtain sensitive information via the uploadLogo() and postProcess…
- CVE-2024-25843Feb 27, 2024risk 0.00cvss —epss 0.01
In the module "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.
- CVE-2024-25840Feb 27, 2024risk 0.00cvss —epss 0.01
In the module "Account Manager | Sales Representative & Dealers | CRM" (prestasalesmanager) up to 9.0 from Presta World for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
- CVE-2024-25841Feb 27, 2024risk 0.00cvss —epss 0.00
In the module "So Flexibilite" (soflexibilite) from Common-Services for PrestaShop < 4.1.26, a guest (authenticated customer) can perform Cross Site Scripting (XSS) injection.
- CVE-2024-24309Feb 23, 2024risk 0.00cvss —epss 0.01
In the module "Survey TMA" (ecomiz_survey_tma) up to version 2.0.0 from Ecomiz for PrestaShop, a guest can download personal information without restriction.
- CVE-2024-24310Feb 23, 2024risk 0.00cvss —epss 0.01
In the module "Generate barcode on invoice / delivery slip" (ecgeneratebarcode) from Ether Creation <= 1.2.0 for PrestaShop, a guest can perform SQL injection.
- CVE-2024-26129Feb 19, 2024risk 0.00cvss —epss 0.01
PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.
- CVE-2023-50026Feb 9, 2024risk 0.00cvss —epss 0.01
SQL injection vulnerability in Presta Monster "Multi Accessories Pro" (hsmultiaccessoriespro) module for PrestaShop versions 5.1.1 and before, allows remote attackers to escalate privileges and obtain sensitive information via the method HsAccessoriesGroupProductAbstract::getAcce…
- CVE-2023-50061Feb 8, 2024risk 0.00cvss —epss 0.01
PrestaShop Op'art Easy Redirect >= 1.3.8 and <= 1.3.12 is vulnerable to SQL Injection via Oparteasyredirect::hookActionDispatcher().
- CVE-2024-24303Feb 7, 2024risk 0.00cvss —epss 0.01
SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGif…
- CVE-2023-46351Jan 19, 2024risk 0.00cvss —epss 0.01
In the module mib < 1.6.1 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The methods `mib::getManufacturersByCategory()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
- CVE-2023-50028Jan 19, 2024risk 0.00cvss —epss 0.01
In the module "Sliding cart block" (blockslidingcart) up to version 2.3.8 from PrestashopModules.eu for PrestaShop, a guest can perform SQL injection.
- CVE-2023-50027Jan 5, 2024risk 0.00cvss —epss 0.01
SQL Injection vulnerability in Buy Addons baproductzoommagnifier module for PrestaShop versions 1.0.16 and before, allows remote attackers to escalate privileges and gain sensitive information via BaproductzoommagnifierZoomModuleFrontController::run() method.
- CVE-2024-21628Jan 2, 2024risk 0.00cvss —epss 0.00
PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to…
- CVE-2024-21627Jan 2, 2024risk 0.00cvss —epss 0.01
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11…
- CVE-2023-46354Dec 6, 2023risk 0.00cvss —epss 0.01
In the module "Orders (CSV, Excel) Export PRO" (ordersexport) < 5.2.0 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can access exports from the module which can lead to a leak of…
- CVE-2023-48042Nov 28, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing filter version up to version 3.2.5, allows remote attackers to inject arbitrary JavaScript code.
- CVE-2023-46355Nov 27, 2023risk 0.00cvss —epss 0.01
In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules for PrestaShop, a guest can download personal information without restriction. Due to too permissive access control which does not force administrator to use password on feeds, a guest can access exports from the…
- CVE-2023-46349Nov 27, 2023risk 0.00cvss —epss 0.01
In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts) < 3.8.5 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `productsUpdateModel::getExportIds()` has sensitive SQL calls that can be executed with a trivial http call and…
- CVE-2023-48188Nov 27, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4.6.12 allows a remote attacker to execute arbitrary code via a crafted script to the getModuleTranslation function.
- CVE-2023-46357Nov 22, 2023risk 0.00cvss —epss 0.01
In the module "Cross Selling in Modal Cart" (motivationsale) < 3.5.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `motivationsaleDataModel::getProductsByIds()` has sensitive SQL calls that can be executed with a trivial http call and…
- CVE-2023-45377Nov 22, 2023risk 0.00cvss —epss 0.01
In the module "Chronopost Official" (chronopost) for PrestaShop, a guest can perform SQL injection. The script PHP `cancelSkybill.php` own a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
- CVE-2023-45387Nov 17, 2023risk 0.00cvss —epss 0.01
In the module "Product Catalog (CSV, Excel, XML) Export PRO" (exportproducts) in versions up to 5.0.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection via `exportProduct::_addDataToDb().`
- CVE-2023-47110Nov 9, 2023risk 0.00cvss —epss 0.00
blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in…
- CVE-2023-47109Nov 8, 2023risk 0.00cvss —epss 0.01
PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project…
- CVE-2023-43984Nov 7, 2023risk 0.00cvss —epss 0.01
Insecure permissions in Smart Soft advancedexport before v4.4.7 allow unauthenticated attackers to arbitrarily download user information from the ps_customer table.
- CVE-2023-45380Nov 7, 2023risk 0.00cvss —epss 0.01
In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal…
- CVE-2023-46352Nov 2, 2023risk 0.00cvss —epss 0.00
In the module "Pixel Plus: Events + CAPI + Pixel Catalog for Facebook Module" (facebookconversiontrackingplus) up to version 2.4.9 from Smart Modules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can…
- CVE-2023-43139Oct 31, 2023risk 0.00cvss —epss 0.01
An issue in franfinance before v.2.0.27 allows a remote attacker to execute arbitrary code via the validation.php, and controllers/front/validation.php components.
- CVE-2023-27846Oct 31, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShop themevolty v.4.0.8 and before allow a remote attacker to gain privileges via the tvcmsblog, tvcmsvideotab, tvcmswishlist, tvcmsbrandlist, tvcmscategorychainslider, tvcmscategoryproduct, tvcmscategoryslider, tvcmspaymenticon,…
- CVE-2023-46356Oct 31, 2023risk 0.00cvss —epss 0.01
In the module "CSV Feeds PRO" (csvfeeds) before 2.6.1 from Bl Modules for PrestaShop, a guest can perform SQL injection. The method `SearchApiCsv::getProducts()` has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
- CVE-2023-45378Oct 31, 2023risk 0.00cvss —epss 0.01
In the module "PrestaBlog" (prestablog) version 4.4.7 and before from HDclic for PrestaShop, a guest can perform SQL injection. The script ajax slider_positions.php has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
- CVE-2023-46346Oct 25, 2023risk 0.00cvss —epss 0.01
In the module "Product Catalog (CSV, Excel, XML) Export PRO" (exportproducts) in versions up to 4.1.1 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control…
- CVE-2023-45379Oct 19, 2023risk 0.00cvss —epss 0.01
In the module "Rotator Img" (posrotatorimg) in versions at least up to 1.1 from PosThemes for PrestaShop, a guest can perform SQL injection.
- CVE-2023-45376Oct 19, 2023risk 0.00cvss —epss 0.01
In the module "Carousels Pack - Instagram, Products, Brands, Supplier" (hicarouselspack) for PrestaShop up to version 1.5.0 from HiPresta for PrestaShop, a guest can perform SQL injection via HiCpProductGetter::getViewedProduct().`
- CVE-2023-43986Oct 19, 2023risk 0.00cvss —epss 0.01
DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken.
- CVE-2023-45383Oct 18, 2023risk 0.00cvss —epss 0.01
In the module "SoNice etiquetage" (sonice_etiquetage) up to version 2.5.9 from Common-Services for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack. Due to a lack of permissions control and a lack of control in the…
- CVE-2023-45386Oct 17, 2023risk 0.00cvss —epss 0.01
In the module extratabspro before version 2.2.8 from MyPresta.eu for PrestaShop, a guest can perform SQL injection via `extratabspro::searchcategory()`, `extratabspro::searchproduct()` and `extratabspro::searchmanufacturer().'
Page 2 of 5