Filtered by vendor Prestashop
Subscribe
Search
Total
23 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-39525 | 1 Prestashop | 1 Prestashop | 2023-08-10 | N/A | 9.1 CRITICAL |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39524 | 1 Prestashop | 1 Prestashop | 2023-08-10 | N/A | 9.8 CRITICAL |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39526 | 1 Prestashop | 1 Prestashop | 2023-08-09 | N/A | 9.8 CRITICAL |
| PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. | |||||
| CVE-2023-39529 | 1 Prestashop | 1 Prestashop | 2023-08-09 | N/A | 9.1 CRITICAL |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-39530 | 1 Prestashop | 1 Prestashop | 2023-08-09 | N/A | 9.1 CRITICAL |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2023-30151 | 1 Prestashop | 1 Prestashop | 2023-08-01 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter. | |||||
| CVE-2023-30153 | 1 Prestashop | 1 Payplug | 2023-07-27 | N/A | 9.8 CRITICAL |
| An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller. | |||||
| CVE-2022-21686 | 1 Prestashop | 1 Prestashop | 2022-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds. | |||||
| CVE-2021-43789 | 1 Prestashop | 1 Prestashop | 2021-12-08 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2. | |||||
| CVE-2020-15160 | 1 Prestashop | 1 Prestashop | 2021-05-05 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8 | |||||
| CVE-2021-21308 | 1 Prestashop | 1 Prestashop | 2021-03-05 | 6.4 MEDIUM | 9.1 CRITICAL |
| PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2 | |||||
| CVE-2021-3110 | 1 Prestashop | 1 Prestashop | 2021-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. | |||||
| CVE-2020-15178 | 1 Prestashop | 1 Contactform | 2020-09-21 | 4.3 MEDIUM | 9.3 CRITICAL |
| In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser. | |||||
| CVE-2020-4074 | 1 Prestashop | 1 Prestashop | 2020-07-07 | 10.0 HIGH | 9.8 CRITICAL |
| In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6. | |||||
| CVE-2018-19355 | 2 Mypresta, Prestashop | 2 Customer Files Upload, Prestashop | 2020-06-02 | 7.5 HIGH | 9.8 CRITICAL |
| modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles). | |||||
| CVE-2013-6295 | 1 Prestashop | 1 Prestashop | 2020-02-21 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module | |||||
| CVE-2019-19595 | 2 Adobe, Prestashop | 2 Stock Api Integration, Prestashop | 2019-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file. | |||||
| CVE-2019-19594 | 2 Adobe, Prestashop | 2 Stock Api Integration, Prestashop | 2019-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file. | |||||
| CVE-2018-13784 | 1 Prestashop | 1 Prestashop | 2019-10-03 | 6.4 MEDIUM | 9.1 CRITICAL |
| PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php. | |||||
| CVE-2018-19126 | 1 Prestashop | 1 Prestashop | 2018-12-12 | 7.5 HIGH | 9.8 CRITICAL |
| PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload. | |||||
| CVE-2018-10942 | 2 Attribute Wizard Project, Prestashop | 2 Attribute Wizard, Prestashop | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file. | |||||
| CVE-2018-8824 | 2 Prestashop, Responsive Mega Menu Pro Project | 2 Prestashop, Responsive Mega Menu Pro | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter. | |||||
| CVE-2018-8823 | 2 Prestashop, Responsive Mega Menu Pro Project | 2 Prestashop, Responsive Mega Menu Pro | 2018-04-24 | 7.5 HIGH | 9.8 CRITICAL |
| modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter. | |||||