CVE-2018-19355
https://notcve.org/view.php?id=CVE-2018-19355
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles). modules/orderfiles/ajax/upload.php en el addon Customer Files Upload 2018-08-01 para PrestaShop (de la versión 1.5 hasta la 1.7) permite que atacantes remotos ejecuten código arbitrario mediante la subida de un archivo php mediante modules/orderfiles/upload.php con auptype igual a product (para los destinos de subida en modules/productfiles), order (para los destinos de subida en modules/files) o cart (para los destinos de subida en modules/cartfiles). • https://ia-informatica.com/it/CVE-2018-19355 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-19125 – PrestaShop 1.6.x/1.7.x - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-19125
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 permite que los atacantes remotos eliminen un directorio de imágenes. PrestaShop versions 1.6.x and 1.7.x suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/45964 http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 •
CVE-2018-19126 – PrestaShop 1.6.x/1.7.x - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-19126
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 permite que los atacantes remotos ejecuten código arbitrario mediante una subida de archivos. PrestaShop versions 1.6.x and 1.7.x suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/45964 https://github.com/farisv/PrestaShop-CVE-2018-19126 http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-19124
https://notcve.org/view.php?id=CVE-2018-19124
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 en Windows permite que los atacantes remotos escriban en archivos de imagen arbitrarios. • http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-13784 – PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-13784
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php. PrestaShop en versiones anteriores a la 1.6.1.20 y versiones 1.7.x anteriores a la 1.7.3.4 gestiona de manera incorrecta el cifrado de cookies en Cookie.php, Rinjdael.php y Blowfish.php. • https://www.exploit-db.com/exploits/45046 https://www.exploit-db.com/exploits/45047 http://build.prestashop.com/news/prestashop-1-7-3-4-1-6-1-20-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/9218 https://github.com/PrestaShop/PrestaShop/pull/9222 •