CVE-2018-19124
https://notcve.org/view.php?id=CVE-2018-19124
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 en Windows permite que los atacantes remotos escriban en archivos de imagen arbitrarios. • http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-19126 – PrestaShop 1.6.x/1.7.x - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-19126
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 permite que los atacantes remotos ejecuten código arbitrario mediante una subida de archivos. PrestaShop versions 1.6.x and 1.7.x suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/45964 https://github.com/farisv/PrestaShop-CVE-2018-19126 http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-13784 – PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-13784
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php. PrestaShop en versiones anteriores a la 1.6.1.20 y versiones 1.7.x anteriores a la 1.7.3.4 gestiona de manera incorrecta el cifrado de cookies en Cookie.php, Rinjdael.php y Blowfish.php. • https://www.exploit-db.com/exploits/45046 https://www.exploit-db.com/exploits/45047 http://build.prestashop.com/news/prestashop-1-7-3-4-1-6-1-20-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/9218 https://github.com/PrestaShop/PrestaShop/pull/9222 •
CVE-2018-8824
https://notcve.org/view.php?id=CVE-2018-8824
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter. modules/bamegamenu/ajax_phpcode.php en el módulo Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro 1.0.32 para PrestaShop de la versión 1.5.5.0 a la 1.7.2.5 permite que atacantes remotos ejecuten una inyección SQL mediante llamadas de función en el parámetro code. • https://ia-informatica.com/it/CVE-2018-8824 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-8823
https://notcve.org/view.php?id=CVE-2018-8823
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter. Modules/bamegamenu/ajax_phpcode.php en el módulo Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro 1.0.32 para PrestaShop, desde la versión 1.5.5.0 hasta la 1.7.2.5, permite que atacantes remotos ejecuten código PHP arbitrario mediante el parámetro code. • https://ia-informatica.com/it/CVE-2018-8823 • CWE-94: Improper Control of Generation of Code ('Code Injection') •