VYPR

Vendor CVEs

Prestashop

All CVEs

221 total · sorted by risk
  • CVE-2020-5294Apr 16, 2020
    risk 0.00cvss epss 0.01

    PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflected XSS with social networks fields The problem is fixed in 2.1.0

  • CVE-2020-5277Mar 25, 2020
    risk 0.00cvss epss 0.01

    PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. The problem is fixed in 3.5.0

  • CVE-2020-5250Mar 5, 2020
    risk 0.00cvss epss 0.01

    In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all…

  • CVE-2013-6295Feb 18, 2020
    risk 0.00cvss epss 0.02

    PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module

  • CVE-2013-4792Feb 13, 2020
    risk 0.00cvss epss 0.00

    PrestaShop before 1.4.11 allows logout CSRF.

  • CVE-2013-6358Jan 23, 2020
    risk 0.00cvss epss 0.04

    PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory.

  • CVE-2020-6632Jan 9, 2020
    risk 0.00cvss epss 0.01

    In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js.

  • CVE-2019-6017Dec 26, 2019
    risk 0.00cvss epss 0.01

    REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allow remote attackers to [Disclosed_Information_type] via unspecified vectors.

  • CVE-2019-6016Dec 26, 2019
    risk 0.00cvss epss 0.01

    Cross-site scripting vulnerability in REMISE Payment Module (2.11, 2.12 and 2.13) version 3.0.12 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2019-15565Aug 26, 2019
    risk 0.00cvss epss 0.01

    The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.

  • CVE-2019-13461Jul 9, 2019
    risk 0.00cvss epss 0.02

    In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer…

  • CVE-2018-20717Jan 15, 2019
    risk 0.00cvss epss 0.03

    In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object…

  • CVE-2018-19124Nov 9, 2018
    risk 0.00cvss epss 0.03

    PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files.

  • CVE-2018-7491HigFeb 26, 2018
    risk 0.00cvss 7.5epss 0.01

    In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy…

  • CVE-2015-1175Jan 22, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the layered_price_slider parameter.

  • CVE-2012-6641Apr 7, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4.7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to "parameter names and values."

  • CVE-2012-5801Nov 4, 2012
    risk 0.00cvss epss 0.01

    The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate,…

  • CVE-2012-5800Nov 4, 2012
    risk 0.00cvss epss 0.01

    The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2012-5799Nov 4, 2012
    risk 0.00cvss epss 0.01

    The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary…

  • CVE-2011-3796Sep 24, 2011
    risk 0.00cvss epss 0.02

    PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by product-sort.php and certain other files.

  • CVE-2008-5791Dec 31, 2008
    risk 0.00cvss epss 0.02

    Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution before 1.1 Beta 2 (aka 1.1.0.1) have unknown impact and attack vectors, related to the (1) bankwire module, (2) cheque module, and other components.

Page 5 of 5