Vendor CVEs
Prestashop
All CVEs
221 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-5294 | 0.00 | — | 0.01 | Apr 16, 2020 | PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflected XSS with social networks fields The problem is fixed in 2.1.0 | |||
| CVE-2020-5277 | 0.00 | — | 0.01 | Mar 25, 2020 | PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. The problem is fixed in 3.5.0 | |||
| CVE-2020-5250 | 0.00 | — | 0.01 | Mar 5, 2020 | In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all… | |||
| CVE-2013-6295 | 0.00 | — | 0.02 | Feb 18, 2020 | PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module | |||
| CVE-2013-4792 | 0.00 | — | 0.00 | Feb 13, 2020 | PrestaShop before 1.4.11 allows logout CSRF. | |||
| CVE-2013-6358 | 0.00 | — | 0.04 | Jan 23, 2020 | PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory. | |||
| CVE-2020-6632 | 0.00 | — | 0.01 | Jan 9, 2020 | In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js. | |||
| CVE-2019-6017 | 0.00 | — | 0.01 | Dec 26, 2019 | REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allow remote attackers to [Disclosed_Information_type] via unspecified vectors. | |||
| CVE-2019-6016 | 0.00 | — | 0.01 | Dec 26, 2019 | Cross-site scripting vulnerability in REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2019-15565 | 0.00 | — | 0.01 | Aug 26, 2019 | The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php. | |||
| CVE-2019-13461 | 0.00 | — | 0.02 | Jul 9, 2019 | In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer… | |||
| CVE-2018-20717 | 0.00 | — | 0.03 | Jan 15, 2019 | In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object… | |||
| CVE-2018-19124 | 0.00 | — | 0.03 | Nov 9, 2018 | PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files. | |||
| CVE-2018-7491 | Hig | 0.00 | 7.5 | 0.01 | Feb 26, 2018 | In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy… | ||
| CVE-2015-1175 | 0.00 | — | 0.02 | Jan 22, 2015 | Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the layered_price_slider parameter. | |||
| CVE-2012-6641 | 0.00 | — | 0.02 | Apr 7, 2014 | Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4.7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to "parameter names and values." | |||
| CVE-2012-5801 | 0.00 | — | 0.01 | Nov 4, 2012 | The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate,… | |||
| CVE-2012-5800 | 0.00 | — | 0.01 | Nov 4, 2012 | The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||
| CVE-2012-5799 | 0.00 | — | 0.01 | Nov 4, 2012 | The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary… | |||
| CVE-2011-3796 | 0.00 | — | 0.02 | Sep 24, 2011 | PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by product-sort.php and certain other files. | |||
| CVE-2008-5791 | 0.00 | — | 0.02 | Dec 31, 2008 | Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution before 1.1 Beta 2 (aka 1.1.0.1) have unknown impact and attack vectors, related to the (1) bankwire module, (2) cheque module, and other components. |
- CVE-2020-5294Apr 16, 2020risk 0.00cvss —epss 0.01
PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflected XSS with social networks fields The problem is fixed in 2.1.0
- CVE-2020-5277Mar 25, 2020risk 0.00cvss —epss 0.01
PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. The problem is fixed in 3.5.0
- CVE-2020-5250Mar 5, 2020risk 0.00cvss —epss 0.01
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all…
- CVE-2013-6295Feb 18, 2020risk 0.00cvss —epss 0.02
PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module
- CVE-2013-4792Feb 13, 2020risk 0.00cvss —epss 0.00
PrestaShop before 1.4.11 allows logout CSRF.
- CVE-2013-6358Jan 23, 2020risk 0.00cvss —epss 0.04
PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory.
- CVE-2020-6632Jan 9, 2020risk 0.00cvss —epss 0.01
In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js.
- CVE-2019-6017Dec 26, 2019risk 0.00cvss —epss 0.01
REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allow remote attackers to [Disclosed_Information_type] via unspecified vectors.
- CVE-2019-6016Dec 26, 2019risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2019-15565Aug 26, 2019risk 0.00cvss —epss 0.01
The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.
- CVE-2019-13461Jul 9, 2019risk 0.00cvss —epss 0.02
In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer…
- CVE-2018-20717Jan 15, 2019risk 0.00cvss —epss 0.03
In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object…
- CVE-2018-19124Nov 9, 2018risk 0.00cvss —epss 0.03
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files.
- risk 0.00cvss 7.5epss 0.01
In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy…
- CVE-2015-1175Jan 22, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the layered_price_slider parameter.
- CVE-2012-6641Apr 7, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4.7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to "parameter names and values."
- CVE-2012-5801Nov 4, 2012risk 0.00cvss —epss 0.01
The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate,…
- CVE-2012-5800Nov 4, 2012risk 0.00cvss —epss 0.01
The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
- CVE-2012-5799Nov 4, 2012risk 0.00cvss —epss 0.01
The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary…
- CVE-2011-3796Sep 24, 2011risk 0.00cvss —epss 0.02
PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by product-sort.php and certain other files.
- CVE-2008-5791Dec 31, 2008risk 0.00cvss —epss 0.02
Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution before 1.1 Beta 2 (aka 1.1.0.1) have unknown impact and attack vectors, related to the (1) bankwire module, (2) cheque module, and other components.
Page 5 of 5