CVSS: 9.8EPSS: 83%CPEs: 1EXPL: 1CVE-2021-3110
https://notcve.org/view.php?id=CVE-2021-3110
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter. El sistema de tienda en PrestaShop versión 1.7.7.0, permite una inyección SQL booleana basada en el tiempo por medio del parámetro id_products[] de module=productcomments controller=CommentGrade • https://medium.com/%40gondaliyajaimin797/cve-2021-3110-75a24943ca5e https://www.exploit-db.com/exploits/49410 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.2EPSS: 1%CPEs: 1EXPL: 1CVE-2020-26248 – Blind SQL injection during the CommentGrade process
https://notcve.org/view.php?id=CVE-2020-26248
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module. En el módulo de PrestaShop "productcomments" versiones anteriores a 4.2.1, un atacante puede usar una inyección SQL ciega para recuperar datos o detener el servicio MySQL. El problema es corregido en la versión 4.2.1 del módulo PrestaShop ProductComments version 4.2.0 suffers from a remote blind SQL injection vulnerability. • http://packetstormsecurity.com/files/160539/PrestaShop-ProductComments-4.2.0-SQL-Injection.html https://github.com/PrestaShop/productcomments/commit/7c2033dd811744e021da8897c80d6c301cd45ffa https://github.com/PrestaShop/productcomments/releases/tag/v4.2.1 https://github.com/PrestaShop/productcomments/security/advisories/GHSA-5v44-7647-xfw9 https://packagist.org/packages/prestashop/productcomments • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26225 – Reflected XSS in PrestaShop Product Comments
https://notcve.org/view.php?id=CVE-2020-26225
In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The problem was introduced in version 4.0.0 and is fixed in 4.2.0 En PrestaShop Product Comments versiones anteriores a 4.2.0, un atacante podía inyectar código web malicioso en los navegadores web de los usuarios al crear un enlace malicioso. El problema se introdujo en la versión 4.0.0 y es corregido en la versión 4.2.0 • https://github.com/PrestaShop/productcomments/commit/c56e3e9495c4a0a9c1e7dc43e1bb0fcad2796dbf https://github.com/PrestaShop/productcomments/security/advisories/GHSA-58w4-w77w-qv3w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-26224 – Improper Access Control in PrestaShop
https://notcve.org/view.php?id=CVE-2020-26224
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9. En PrestaShop anterior a versión 1.7.6.9, un atacante es capaz de enumerar todos los pedidos realizados en el sitio web sin estar registrados al abusar de la función que permite a un carrito de compras ser recreado a partir de un pedido ya realizado. El problema se corrigió en la versión 1.7.6.9 • https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-frf2-c9q3-qg9m • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15162 – Stored XSS in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15162
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8. En PrestaShop a partir de la versión 1.5.0.0 y antes de la versión 1.7.6.8, los usuarios pueden enviar archivos comprometidos. Estos archivos adjuntos permitieron a la gente introducir JavaScript malicioso que desencadenó una carga útil de XSS. • https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •