CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36679
https://notcve.org/view.php?id=CVE-2024-36679
19 Jun 2024 — In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method `Lcp::saveTranslations()` suffer of a white writer that can inject PHP code into a PHP file. En el módulo "Módulo Live Chat Pro (Mensajería todo en uno)" (livechatpro) <=8.4.0, un invitado puede realizar la inyección de código PHP. Debido a un token predecible, el método `Lcp::saveTranslations()` sufre de un escritor blanco que puede inyectar có... • https://security.friendsofpresta.org/modules/2024/06/18/livechatpro.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36684
https://notcve.org/view.php?id=CVE-2024-36684
19 Jun 2024 — In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection. En el módulo "Enlaces personalizados" (pk_customlinks) <= 2.3 de Promokit.eu para PrestaShop, un invitado puede realizar una inyección SQL. El script ajax.php tiene una llamada SQL sensible que puede ejecutarse con una llamada http trivial y explotarse par... • https://security.friendsofpresta.org/modules/2024/06/18/pk_customlinks.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34990
https://notcve.org/view.php?id=CVE-2024-34990
19 Jun 2024 — In the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files. Methods `HelpdeskHelpdeskModuleFrontController::submitTicket()` and `HelpdeskHelpdeskModuleFrontController::replyTicket()` allow upload of .php files on a predictable path for connected customers. En el módulo "Help Desk - Sistema de gestión de atención al cliente" (helpdesk) hasta la versión 2.4.0 de los Módulos FME para PrestaShop, un cliente pued... • https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-helpdesk.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34994
https://notcve.org/view.php?id=CVE-2024-34994
19 Jun 2024 — In the module "Channable" (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection via `ChannableFeedModuleFrontController::postProcess()`. En el módulo "Channable" (channable) hasta la versión 3.2.1 de Channable para PrestaShop, un invitado puede realizar una inyección SQL a través de `ChannableFeedModuleFrontController::postProcess()`. • https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-channable.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34717 – Anonymous PrestaShop customer can download other customers' invoices
https://notcve.org/view.php?id=CVE-2024-34717
14 May 2024 — PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. PrestaShop es una aplicación web de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 5CVE-2024-34716 – PrestaShop vulnerable to XSS via customer contact form in FO, through file upload
https://notcve.org/view.php?id=CVE-2024-34716
14 May 2024 — PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and t... • https://github.com/aelmokhtar/CVE-2024-34716_PoC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33270
https://notcve.org/view.php?id=CVE-2024-33270
30 Apr 2024 — An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component. Un problema en FME Modules fileuploads v.2.0.3 y anteriores y solucionado en v2.0.4 permite a un atacante remoto obtener información confidencial a través del componente uploadfiles.php. • http://fileuploads.com • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33274
https://notcve.org/view.php?id=CVE-2024-33274
30 Apr 2024 — Directory Traversal vulnerability in FME Modules customfields v.2.2.7 and before allows a remote attacker to obtain sensitive information via the Custom Checkout Fields, Add Custom Fields to Checkout parameter of the ajax.php Vulnerabilidad de Directory Traversal en FME Modules customfields v.2.2.7 y anteriores permite a un atacante remoto obtener información confidencial a través de los campos de pago personalizados, agregar campos personalizados al parámetro de pago de ajax.php • https://addons.prestashop.com/en/registration-ordering-process/19008-custom-checkout-fields-add-custom-fields-to-checkout.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33271
https://notcve.org/view.php?id=CVE-2024-33271
29 Apr 2024 — An issue in FME Modules eventsmanager before 4.4.0 allows an attacker to obtain sensitive information from the ps_customer component. Un problema en FME Modules eventsmanager anterior a 4.4.0 permite a un atacante obtener información confidencial del componente ps_customer. • https://security.friendsofpresta.org/modules/2024/04/25/eventsmanager.html • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33272
https://notcve.org/view.php?id=CVE-2024-33272
29 Apr 2024 — SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components. Vulnerabilidad de inyección SQL en KnowBand para PrestaShop autosuggest anterior a 2.0.0 permite a un atacante ejecutar comandos SQL arbitrarios a través de los componentes AutosuggestSearchModuleFrontController::initContent() y AutosuggestSearchMo... • https://security.friendsofpresta.org/modules/2024/04/25/autosuggest.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •