VYPR

Vendor CVEs

Prestashop

All CVEs

221 total · sorted by risk
  • CVE-2023-30154Oct 14, 2023
    risk 0.00cvss epss 0.01

    Multiple improper neutralization of SQL parameters in module AfterMail (aftermailpresta) for PrestaShop, before version 2.2.1, allows remote attackers to perform SQL injection attacks via `id_customer`, `id_conf`, `id_product` and `token` parameters in `aftermailajax.php via the…

  • CVE-2023-39647Oct 3, 2023
    risk 0.00cvss epss 0.01

    Improper neutralization of SQL parameter in Theme Volty CMS Category Product module for PrestaShop. In the module “Theme Volty CMS Category Product” (tvcmscategoryproduct) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected…

  • CVE-2023-39648Oct 3, 2023
    risk 0.00cvss epss 0.01

    Improper neutralization of SQL parameter in Theme Volty CMS Testimonial module for PrestaShop. In the module “Theme Volty CMS Testimonial” (tvcmstestimonial) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

  • CVE-2023-39645Oct 3, 2023
    risk 0.00cvss epss 0.01

    Improper neutralization of SQL parameter in Theme Volty CMS Payment Icon module for PrestaShop. In the module “Theme Volty CMS Payment Icon” (tvcmspaymenticon) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.

  • CVE-2023-39646Oct 3, 2023
    risk 0.00cvss epss 0.01

    Improper neutralization of SQL parameter in Theme Volty CMS Category Chain Slider module for PrestaShop. In the module “Theme Volty CMS Category Chain Slide"(tvcmscategorychainslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in…

  • CVE-2023-39649Oct 3, 2023
    risk 0.00cvss epss 0.01

    Improper neutralization of SQL parameter in Theme Volty CMS Category Slider module for PrestaShop. In the module “Theme Volty CMS Category Slider” (tvcmscategoryslider) up to version 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected…

  • CVE-2023-43664Sep 28, 2023
    risk 0.00cvss epss 0.00

    PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit…

  • CVE-2023-43663Sep 28, 2023
    risk 0.00cvss epss 0.00

    PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this…

  • CVE-2023-39640Sep 25, 2023
    risk 0.00cvss epss 0.01

    UpLight cookiebanner before 1.5.1 was discovered to contain a SQL injection vulnerability via the component Hook::getHookModuleExecList().

  • CVE-2023-34577Sep 21, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.

  • CVE-2022-45447Sep 20, 2023
    risk 0.00cvss epss 0.01

    M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this…

  • CVE-2023-39641Sep 14, 2023
    risk 0.00cvss epss 0.01

    Active Design psaffiliate before v1.9.8 was discovered to contain a SQL injection vulnerability via the component PsaffiliateGetaffiliatesdetailsModuleFrontController::initContent().

  • CVE-2023-33663Aug 16, 2023
    risk 0.00cvss epss 0.01

    In the module “Customization fields fee for your store” (aicustomfee) from ai-dev module for PrestaShop, an attacker can perform SQL injection up to 0.2.0. Release 0.2.1 fixed this security issue.

  • CVE-2023-39530Aug 7, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

  • CVE-2023-39529Aug 7, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

  • CVE-2023-39528Aug 7, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for…

  • CVE-2023-39527Aug 7, 2023
    risk 0.00cvss epss 0.00

    PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

  • CVE-2023-39526Aug 7, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no…

  • CVE-2023-39525Aug 7, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch…

  • CVE-2023-39524Aug 7, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

  • CVE-2023-33493Aug 1, 2023
    risk 0.00cvss epss 0.01

    An Unrestricted Upload of File with Dangerous Type vulnerability in the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop through 2.3.0, allows remote attackers to upload dangerous files without restrictions.

  • CVE-2023-33777Jul 25, 2023
    risk 0.00cvss epss 0.01

    An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24 allows attackers to execute a directory traversal attack.

  • CVE-2023-30153Jul 18, 2023
    risk 0.00cvss epss 0.01

    An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller.

  • CVE-2023-30151Jul 13, 2023
    risk 0.00cvss epss 0.01

    A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter.

  • CVE-2023-26861Jul 11, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability found in PrestaShop vivawallet v.1.7.10 and before allows a remote attacker to gain privileges via the vivawallet() module.

  • CVE-2023-27845Jul 7, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components.

  • CVE-2023-30195Jul 6, 2023
    risk 0.00cvss epss 0.00

    In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json.

  • CVE-2023-31672Jun 15, 2023
    risk 0.00cvss epss 0.01

    In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.

  • CVE-2023-31671Jun 14, 2023
    risk 0.00cvss epss 0.01

    PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess().

  • CVE-2023-29632Jun 6, 2023
    risk 0.00cvss epss 0.01

    PrestaShop jmspagebuilder 3.x is vulnerable to SQL Injection via ajax_jmspagebuilder.php.

  • CVE-2023-29630Jun 5, 2023
    risk 0.00cvss epss 0.01

    PrestaShop jmsmegamenu 1.1.x and 2.0.x is vulnerable to SQL Injection via ajax_jmsmegamenu.php.

  • CVE-2023-29629Jun 5, 2023
    risk 0.00cvss epss 0.01

    PrestaShop jmsthemelayout 2.5.5 is vulnerable to SQL Injection via ajax_jmsvermegamenu.php.

  • CVE-2023-29631Jun 5, 2023
    risk 0.00cvss epss 0.01

    PrestaShop jmsslider 1.6.0 is vulnerable to Incorrect Access Control via ajax_jmsslider.php.

  • CVE-2023-30197May 31, 2023
    risk 0.00cvss epss 0.01

    Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack.

  • CVE-2023-30196May 30, 2023
    risk 0.00cvss epss 0.01

    Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.

  • CVE-2023-33278May 25, 2023
    risk 0.00cvss epss 0.01

    In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection.

  • CVE-2023-30199May 19, 2023
    risk 0.00cvss epss 0.01

    Prestashop customexporter <= 1.7.20 is vulnerable to Incorrect Access Control via modules/customexporter/downloads/download.php.

  • CVE-2023-30191May 17, 2023
    risk 0.00cvss epss 0.01

    PrestaShop cdesigner < 3.1.9 is vulnerable to SQL Injection via CdesignerTraitementModuleFrontController::initContent().

  • CVE-2023-30189May 16, 2023
    risk 0.00cvss epss 0.01

    Prestashop posstaticblocks <= 1.0.0 is vulnerable to SQL Injection via posstaticblocks::getPosCurrentHook().

  • CVE-2023-30282May 4, 2023
    risk 0.00cvss epss 0.01

    PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table.

  • CVE-2023-30839Apr 25, 2023
    risk 0.00cvss epss 0.02

    PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this…

  • CVE-2023-30838Apr 25, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes`…

  • CVE-2023-30545Apr 25, 2023
    risk 0.00cvss epss 0.01

    PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a…

  • CVE-2023-27843Apr 25, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability found in PrestaShop askforaquote v.5.4.2 and before allow a remote attacker to gain privileges via the QuotesProduct::deleteProduct component.

  • CVE-2023-26865Apr 24, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.

  • CVE-2023-27844Apr 17, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability found in PrestaShopleurlrewrite v.1.0 and before allow a remote attacker to gain privileges via the Dispatcher::getController component.

  • CVE-2023-26860Apr 10, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability found in PrestaShop Igbudget v.1.0.3 and before allow a remote attacker to gain privileges via the LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget component.

  • CVE-2023-27033Apr 7, 2023
    risk 0.00cvss epss 0.01

    Prestashop cdesigner v3.1.3 to v3.1.8 was discovered to contain a code injection vulnerability via the component CdesignerSaverotateModuleFrontController::initContent().

  • CVE-2023-26864Mar 24, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability found in PrestaShop smplredirectionsmanager v.1.1.19 and before allow a remote attacker to gain privileges via the SmplTools::getMatchingRedirectionsFromPartscomponent.

  • CVE-2023-25206Mar 14, 2023
    risk 0.00cvss epss 0.01

    PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection.