Vendor CVEs
Prestashop
All CVEs
221 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-30154 | 0.00 | — | 0.01 | Oct 14, 2023 | Multiple improper neutralization of SQL parameters in module AfterMail (aftermailpresta) for PrestaShop, before version 2.2.1, allows remote attackers to perform SQL injection attacks via `id_customer`, `id_conf`, `id_product` and `token` parameters in `aftermailajax.php via the… | |||
| CVE-2023-39647 | 0.00 | — | 0.01 | Oct 3, 2023 | Improper neutralization of SQL parameter in Theme Volty CMS Category Product module for PrestaShop. In the module “Theme Volty CMS Category Product” (tvcmscategoryproduct) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected… | |||
| CVE-2023-39648 | 0.00 | — | 0.01 | Oct 3, 2023 | Improper neutralization of SQL parameter in Theme Volty CMS Testimonial module for PrestaShop. In the module “Theme Volty CMS Testimonial” (tvcmstestimonial) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. | |||
| CVE-2023-39645 | 0.00 | — | 0.01 | Oct 3, 2023 | Improper neutralization of SQL parameter in Theme Volty CMS Payment Icon module for PrestaShop. In the module “Theme Volty CMS Payment Icon” (tvcmspaymenticon) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions. | |||
| CVE-2023-39646 | 0.00 | — | 0.01 | Oct 3, 2023 | Improper neutralization of SQL parameter in Theme Volty CMS Category Chain Slider module for PrestaShop. In the module “Theme Volty CMS Category Chain Slide"(tvcmscategorychainslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in… | |||
| CVE-2023-39649 | 0.00 | — | 0.01 | Oct 3, 2023 | Improper neutralization of SQL parameter in Theme Volty CMS Category Slider module for PrestaShop. In the module “Theme Volty CMS Category Slider” (tvcmscategoryslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected… | |||
| CVE-2023-43664 | 0.00 | — | 0.00 | Sep 28, 2023 | PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit… | |||
| CVE-2023-43663 | 0.00 | — | 0.00 | Sep 28, 2023 | PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this… | |||
| CVE-2023-39640 | 0.00 | — | 0.01 | Sep 25, 2023 | UpLight cookiebanner before 1.5.1 was discovered to contain a SQL injection vulnerability via the component Hook::getHookModuleExecList(). | |||
| CVE-2023-34577 | 0.00 | — | 0.01 | Sep 21, 2023 | SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method. | |||
| CVE-2022-45447 | 0.00 | — | 0.01 | Sep 20, 2023 | M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this… | |||
| CVE-2023-39641 | 0.00 | — | 0.01 | Sep 14, 2023 | Active Design psaffiliate before v1.9.8 was discovered to contain a SQL injection vulnerability via the component PsaffiliateGetaffiliatesdetailsModuleFrontController::initContent(). | |||
| CVE-2023-33663 | 0.00 | — | 0.01 | Aug 16, 2023 | In the module “Customization fields fee for your store” (aicustomfee) from ai-dev module for PrestaShop, an attacker can perform SQL injection up to 0.2.0. Release 0.2.1 fixed this security issue. | |||
| CVE-2023-39530 | 0.00 | — | 0.01 | Aug 7, 2023 | PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||
| CVE-2023-39529 | 0.00 | — | 0.01 | Aug 7, 2023 | PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||
| CVE-2023-39528 | 0.00 | — | 0.01 | Aug 7, 2023 | PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for… | |||
| CVE-2023-39527 | 0.00 | — | 0.00 | Aug 7, 2023 | PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. | |||
| CVE-2023-39526 | 0.00 | — | 0.01 | Aug 7, 2023 | PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no… | |||
| CVE-2023-39525 | 0.00 | — | 0.01 | Aug 7, 2023 | PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch… | |||
| CVE-2023-39524 | 0.00 | — | 0.01 | Aug 7, 2023 | PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||
| CVE-2023-33493 | 0.00 | — | 0.01 | Aug 1, 2023 | An Unrestricted Upload of File with Dangerous Type vulnerability in the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop through 2.3.0, allows remote attackers to upload dangerous files without restrictions. | |||
| CVE-2023-33777 | 0.00 | — | 0.01 | Jul 25, 2023 | An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24 allows attackers to execute a directory traversal attack. | |||
| CVE-2023-30153 | 0.00 | — | 0.01 | Jul 18, 2023 | An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller. | |||
| CVE-2023-30151 | 0.00 | — | 0.01 | Jul 13, 2023 | A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter. | |||
| CVE-2023-26861 | 0.00 | — | 0.01 | Jul 11, 2023 | SQL injection vulnerability found in PrestaShop vivawallet v.1.7.10 and before allows a remote attacker to gain privileges via the vivawallet() module. | |||
| CVE-2023-27845 | 0.00 | — | 0.01 | Jul 7, 2023 | SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components. | |||
| CVE-2023-30195 | 0.00 | — | 0.00 | Jul 6, 2023 | In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json. | |||
| CVE-2023-31672 | 0.00 | — | 0.01 | Jun 15, 2023 | In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability. | |||
| CVE-2023-31671 | 0.00 | — | 0.01 | Jun 14, 2023 | PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess(). | |||
| CVE-2023-29632 | 0.00 | — | 0.01 | Jun 6, 2023 | PrestaShop jmspagebuilder 3.x is vulnerable to SQL Injection via ajax_jmspagebuilder.php. | |||
| CVE-2023-29630 | 0.00 | — | 0.01 | Jun 5, 2023 | PrestaShop jmsmegamenu 1.1.x and 2.0.x is vulnerable to SQL Injection via ajax_jmsmegamenu.php. | |||
| CVE-2023-29629 | 0.00 | — | 0.01 | Jun 5, 2023 | PrestaShop jmsthemelayout 2.5.5 is vulnerable to SQL Injection via ajax_jmsvermegamenu.php. | |||
| CVE-2023-29631 | 0.00 | — | 0.01 | Jun 5, 2023 | PrestaShop jmsslider 1.6.0 is vulnerable to Incorrect Access Control via ajax_jmsslider.php. | |||
| CVE-2023-30197 | 0.00 | — | 0.01 | May 31, 2023 | Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack. | |||
| CVE-2023-30196 | 0.00 | — | 0.01 | May 30, 2023 | Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php. | |||
| CVE-2023-33278 | 0.00 | — | 0.01 | May 25, 2023 | In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. | |||
| CVE-2023-30199 | 0.00 | — | 0.01 | May 19, 2023 | Prestashop customexporter <= 1.7.20 is vulnerable to Incorrect Access Control via modules/customexporter/downloads/download.php. | |||
| CVE-2023-30191 | 0.00 | — | 0.01 | May 17, 2023 | PrestaShop cdesigner < 3.1.9 is vulnerable to SQL Injection via CdesignerTraitementModuleFrontController::initContent(). | |||
| CVE-2023-30189 | 0.00 | — | 0.01 | May 16, 2023 | Prestashop posstaticblocks <= 1.0.0 is vulnerable to SQL Injection via posstaticblocks::getPosCurrentHook(). | |||
| CVE-2023-30282 | 0.00 | — | 0.01 | May 4, 2023 | PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table. | |||
| CVE-2023-30839 | 0.00 | — | 0.02 | Apr 25, 2023 | PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this… | |||
| CVE-2023-30838 | 0.00 | — | 0.01 | Apr 25, 2023 | PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes`… | |||
| CVE-2023-30545 | 0.00 | — | 0.01 | Apr 25, 2023 | PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a… | |||
| CVE-2023-27843 | 0.00 | — | 0.01 | Apr 25, 2023 | SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component. | |||
| CVE-2023-26865 | 0.00 | — | 0.01 | Apr 24, 2023 | SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component. | |||
| CVE-2023-27844 | 0.00 | — | 0.01 | Apr 17, 2023 | SQL injection vulnerability found in PrestaShopleurlrewrite v.1.0 and before allow a remote attacker to gain privileges via the Dispatcher::getController component. | |||
| CVE-2023-26860 | 0.00 | — | 0.01 | Apr 10, 2023 | SQL injection vulnerability found in PrestaShop Igbudget v.1.0.3 and before allow a remote attacker to gain privileges via the LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget component. | |||
| CVE-2023-27033 | 0.00 | — | 0.01 | Apr 7, 2023 | Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent(). | |||
| CVE-2023-26864 | 0.00 | — | 0.01 | Mar 24, 2023 | SQL injection vulnerability found in PrestaShop smplredirectionsmanager v.1.1.19 and before allow a remote attacker to gain privileges via the SmplTools::getMatchingRedirectionsFromPartscomponent. | |||
| CVE-2023-25206 | 0.00 | — | 0.01 | Mar 14, 2023 | PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection. |
- CVE-2023-30154Oct 14, 2023risk 0.00cvss —epss 0.01
Multiple improper neutralization of SQL parameters in module AfterMail (aftermailpresta) for PrestaShop, before version 2.2.1, allows remote attackers to perform SQL injection attacks via `id_customer`, `id_conf`, `id_product` and `token` parameters in `aftermailajax.php via the…
- CVE-2023-39647Oct 3, 2023risk 0.00cvss —epss 0.01
Improper neutralization of SQL parameter in Theme Volty CMS Category Product module for PrestaShop. In the module “Theme Volty CMS Category Product” (tvcmscategoryproduct) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected…
- CVE-2023-39648Oct 3, 2023risk 0.00cvss —epss 0.01
Improper neutralization of SQL parameter in Theme Volty CMS Testimonial module for PrestaShop. In the module “Theme Volty CMS Testimonial” (tvcmstestimonial) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
- CVE-2023-39645Oct 3, 2023risk 0.00cvss —epss 0.01
Improper neutralization of SQL parameter in Theme Volty CMS Payment Icon module for PrestaShop. In the module “Theme Volty CMS Payment Icon” (tvcmspaymenticon) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
- CVE-2023-39646Oct 3, 2023risk 0.00cvss —epss 0.01
Improper neutralization of SQL parameter in Theme Volty CMS Category Chain Slider module for PrestaShop. In the module “Theme Volty CMS Category Chain Slide"(tvcmscategorychainslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in…
- CVE-2023-39649Oct 3, 2023risk 0.00cvss —epss 0.01
Improper neutralization of SQL parameter in Theme Volty CMS Category Slider module for PrestaShop. In the module “Theme Volty CMS Category Slider” (tvcmscategoryslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected…
- CVE-2023-43664Sep 28, 2023risk 0.00cvss —epss 0.00
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit…
- CVE-2023-43663Sep 28, 2023risk 0.00cvss —epss 0.00
PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this…
- CVE-2023-39640Sep 25, 2023risk 0.00cvss —epss 0.01
UpLight cookiebanner before 1.5.1 was discovered to contain a SQL injection vulnerability via the component Hook::getHookModuleExecList().
- CVE-2023-34577Sep 21, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.
- CVE-2022-45447Sep 20, 2023risk 0.00cvss —epss 0.01
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this…
- CVE-2023-39641Sep 14, 2023risk 0.00cvss —epss 0.01
Active Design psaffiliate before v1.9.8 was discovered to contain a SQL injection vulnerability via the component PsaffiliateGetaffiliatesdetailsModuleFrontController::initContent().
- CVE-2023-33663Aug 16, 2023risk 0.00cvss —epss 0.01
In the module “Customization fields fee for your store” (aicustomfee) from ai-dev module for PrestaShop, an attacker can perform SQL injection up to 0.2.0. Release 0.2.1 fixed this security issue.
- CVE-2023-39530Aug 7, 2023risk 0.00cvss —epss 0.01
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
- CVE-2023-39529Aug 7, 2023risk 0.00cvss —epss 0.01
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
- CVE-2023-39528Aug 7, 2023risk 0.00cvss —epss 0.01
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for…
- CVE-2023-39527Aug 7, 2023risk 0.00cvss —epss 0.00
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
- CVE-2023-39526Aug 7, 2023risk 0.00cvss —epss 0.01
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no…
- CVE-2023-39525Aug 7, 2023risk 0.00cvss —epss 0.01
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch…
- CVE-2023-39524Aug 7, 2023risk 0.00cvss —epss 0.01
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
- CVE-2023-33493Aug 1, 2023risk 0.00cvss —epss 0.01
An Unrestricted Upload of File with Dangerous Type vulnerability in the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop through 2.3.0, allows remote attackers to upload dangerous files without restrictions.
- CVE-2023-33777Jul 25, 2023risk 0.00cvss —epss 0.01
An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24 allows attackers to execute a directory traversal attack.
- CVE-2023-30153Jul 18, 2023risk 0.00cvss —epss 0.01
An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller.
- CVE-2023-30151Jul 13, 2023risk 0.00cvss —epss 0.01
A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter.
- CVE-2023-26861Jul 11, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShop vivawallet v.1.7.10 and before allows a remote attacker to gain privileges via the vivawallet() module.
- CVE-2023-27845Jul 7, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components.
- CVE-2023-30195Jul 6, 2023risk 0.00cvss —epss 0.00
In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json.
- CVE-2023-31672Jun 15, 2023risk 0.00cvss —epss 0.01
In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.
- CVE-2023-31671Jun 14, 2023risk 0.00cvss —epss 0.01
PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess().
- CVE-2023-29632Jun 6, 2023risk 0.00cvss —epss 0.01
PrestaShop jmspagebuilder 3.x is vulnerable to SQL Injection via ajax_jmspagebuilder.php.
- CVE-2023-29630Jun 5, 2023risk 0.00cvss —epss 0.01
PrestaShop jmsmegamenu 1.1.x and 2.0.x is vulnerable to SQL Injection via ajax_jmsmegamenu.php.
- CVE-2023-29629Jun 5, 2023risk 0.00cvss —epss 0.01
PrestaShop jmsthemelayout 2.5.5 is vulnerable to SQL Injection via ajax_jmsvermegamenu.php.
- CVE-2023-29631Jun 5, 2023risk 0.00cvss —epss 0.01
PrestaShop jmsslider 1.6.0 is vulnerable to Incorrect Access Control via ajax_jmsslider.php.
- CVE-2023-30197May 31, 2023risk 0.00cvss —epss 0.01
Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack.
- CVE-2023-30196May 30, 2023risk 0.00cvss —epss 0.01
Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.
- CVE-2023-33278May 25, 2023risk 0.00cvss —epss 0.01
In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.
- CVE-2023-30199May 19, 2023risk 0.00cvss —epss 0.01
Prestashop customexporter <= 1.7.20 is vulnerable to Incorrect Access Control via modules/customexporter/downloads/download.php.
- CVE-2023-30191May 17, 2023risk 0.00cvss —epss 0.01
PrestaShop cdesigner < 3.1.9 is vulnerable to SQL Injection via CdesignerTraitementModuleFrontController::initContent().
- CVE-2023-30189May 16, 2023risk 0.00cvss —epss 0.01
Prestashop posstaticblocks <= 1.0.0 is vulnerable to SQL Injection via posstaticblocks::getPosCurrentHook().
- CVE-2023-30282May 4, 2023risk 0.00cvss —epss 0.01
PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table.
- CVE-2023-30839Apr 25, 2023risk 0.00cvss —epss 0.02
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this…
- CVE-2023-30838Apr 25, 2023risk 0.00cvss —epss 0.01
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes`…
- CVE-2023-30545Apr 25, 2023risk 0.00cvss —epss 0.01
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a…
- CVE-2023-27843Apr 25, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component.
- CVE-2023-26865Apr 24, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.
- CVE-2023-27844Apr 17, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShopleurlrewrite v.1.0 and before allow a remote attacker to gain privileges via the Dispatcher::getController component.
- CVE-2023-26860Apr 10, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShop Igbudget v.1.0.3 and before allow a remote attacker to gain privileges via the LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget component.
- CVE-2023-27033Apr 7, 2023risk 0.00cvss —epss 0.01
Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent().
- CVE-2023-26864Mar 24, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability found in PrestaShop smplredirectionsmanager v.1.1.19 and before allow a remote attacker to gain privileges via the SmplTools::getMatchingRedirectionsFromPartscomponent.
- CVE-2023-25206Mar 14, 2023risk 0.00cvss —epss 0.01
PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection.
Page 3 of 5