CVSS: 9.8EPSS: 10%CPEs: 1EXPL: 1CVE-2020-15160 – Blind SQL Injection in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15160
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8 PrestaShop a partir de la versión 1.7.5.0 y antes de la versión 1.7.6.8 es vulnerable a un ataque ciego de Inyección SQL en la página de edición del Catálogo de Productos con parámetro de localización. El problema se soluciona en la versión 1.7.6.8 PrestaShop version 1.7.6.7 suffers from a remote blind SQL injection vulnerability. • https://www.exploit-db.com/exploits/49755 http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15161 – Potential XSS in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15161
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8 En PrestaShop a partir de la versión 1.6.0.4 y antes de la versión 1.7.6.8 un atacante es capaz de inyectar javascript mientras usa el formulario de contacto. El problema se soluciona en la versión 1.7.6.8 • https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15178 – Potential XSS in PrestaShop contactform
https://notcve.org/view.php?id=CVE-2020-15178
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser. En el módulo contactform de PrestaShop (prestashop/contactform) versiones anteriores a 4.3.0, un atacante puede inyectar JavaScript mientras usa el formulario de contacto. El campo "message" estaba sin escapar incorrectamente, lo que posiblemente permitió a atacantes ejecutar JavaScript arbitrario en el navegador de la víctima • https://github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bcc5ed8bfa09 https://github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg96 https://packagist.org/packages/prestashop/contactform • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15102 – Improper access control on dashboard form in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15102
In PrestaShop Dashboard Productions before version 2.1.0, there is improper authorization which enables an attacker to change the configuration. The problem is fixed in 2.1.0. En PrestaShop Dashboard Productions versiones anteriores a 2.1.0, se presenta una autorización inapropiada que permite a un atacante cambiar la configuración. El problema es corregido en la versión 2.1.0 • https://github.com/PrestaShop/dashproducts/commit/f0799c13628a9b9ca6ca75c085b083d924a8ea7e https://github.com/PrestaShop/dashproducts/security/advisories/GHSA-6292-4qpg-hvfg • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-4074 – Improper Authentication
https://notcve.org/view.php?id=CVE-2020-4074
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6. En PrestaShop desde versión 1.5.0.0 y anteriores a la versión 1.7.6.6, el sistema de autenticación es malformado y un atacante es capaz de falsificar peticiones y ejecutar comandos de administración. El problema es corregido en versión 1.7.6.6 • https://github.com/PrestaShop/PrestaShop/commit/30b6a7bdaca9cb940d3ce462906dbb062499fc30 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-ccvh-jh5x-mpg4 • CWE-287: Improper Authentication •