CVE-2020-5278 – Reflected XSS on Exception page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5278
In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.5.4.0 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado en la página Exception. El problema es corregido en la versión 1.7.6.5 • https://github.com/PrestaShop/PrestaShop/commit/ea85210d6e5d81f058b55764bc4608cdb0b36c5d https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrpj-67mq-3fr5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5279 – Improper Access Control for certain legacy controller in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5279
In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.5.0.0 y 1.7.6.5, hay un control de acceso inapropiado desde la versión 1.5.0.0 para controladores heredados. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses. El problema es corregido en la versión 1.7.6.5 • https://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVE-2020-5285 – Reflected XSS with back parameter in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5285
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.7.6.0 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado con el parámetro "back". El problema se corrigió en la versión 1.7.6.5. • https://github.com/PrestaShop/PrestaShop/commit/b6aea152988d81e1586f1c03f2e72c9ef2fe7df7 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-j3r6-33hf-m8wh • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5269 – Reflected XSS on AdminFeatures page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5269
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.7.6.1 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado en la página AdminFeatures usando el parámetro "id_feature". El problema se corrigió en la versión 1.7.6.5 • https://github.com/PrestaShop/PrestaShop/commit/9efca621a0b74b82dafa91e6b955120036e31334 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-87jh-7xpg-6v93 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5270 – Open redirection when using back parameter of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5270
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.7.6.0 y 1.7.6.5, hay un redireccionamiento abierto cuando se usa el parámetro back. Los impactos pueden ser muchos y varían desde el robo de información y credenciales hasta el redireccionamiento a sitios web maliciosos que contienen contenido controlado por los atacantes, que en algunos casos incluso causan ataques de tipo XSS. • https://github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •