CVE-2019-13461
https://notcve.org/view.php?id=CVE-2019-13461
In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. En PrestaShop versiones anteriores a 1.7.6.0 RC2, los parámetros id_address_delivery y id_address_invoice se ven afectados por una vulnerabilidad de Referencia de Objeto Directa no Segura debido a un valor que puede enviarse a la aplicación web durante el proceso de pago. Un atacante podría filtrar información personal del cliente. • https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=40 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2019-11876
https://notcve.org/view.php?id=CVE-2019-11876
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. En PrestaShop versión 1.7.5.2, el parámetro shop_country en el archivo install/index.php la instalación script/component se ve afectado por una vulnerabilidad Reflected XSS. la explotación por parte de un actor malicioso requiere que el usuario siga las etapas iniciales de la configuración (aceptando los términos y condiciones) antes de ejecutar el enlace malicioso. • https://www.logicallysecure.com/blog/xss-presta-xss-drupal https://www.prestashop.com/forums/forum/2-prestashop-news-and-releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-19125 – PrestaShop 1.6.x/1.7.x - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-19125
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 permite que los atacantes remotos eliminen un directorio de imágenes. PrestaShop versions 1.6.x and 1.7.x suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/45964 http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 •
CVE-2018-19124
https://notcve.org/view.php?id=CVE-2018-19124
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 en Windows permite que los atacantes remotos escriban en archivos de imagen arbitrarios. • http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-19126 – PrestaShop 1.6.x/1.7.x - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-19126
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload. PrestaShop en versiones 1.6.x anteriores a la 1.6.1.23 y 1.7.x anteriores a la 1.7.4.4 permite que los atacantes remotos ejecuten código arbitrario mediante una subida de archivos. PrestaShop versions 1.6.x and 1.7.x suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/45964 https://github.com/farisv/PrestaShop-CVE-2018-19126 http://build.prestashop.com/news/prestashop-1-7-4-4-1-6-1-23-maintenance-releases https://github.com/PrestaShop/PrestaShop/pull/11285 https://github.com/PrestaShop/PrestaShop/pull/11286 • CWE-434: Unrestricted Upload of File with Dangerous Type •