CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 1CVE-2012-5800
https://notcve.org/view.php?id=CVE-2012-5800
The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. El módulo eBay en PrestaShop no comprueba si el nombre del servidor coincide con un nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido de su elección. • http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/79951 • CWE-20: Improper Input Validation •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 1CVE-2012-5801
https://notcve.org/view.php?id=CVE-2012-5801
The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. El módulo PayPal en PrestaShop no comprueba si el nombre del servidor coincide con un nombre de dominio en el Common Name (CN) del asunto o el campo subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido de su elección. Relacionado con el uso de la función PHP fsockopen. • http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2012-2517 – PrestaShop 1.4.7 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-2517
Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php. Una vulnerabilidad de tipo cross-site scripting (XSS) en PrestaShop versiones anteriores a 1.4.9, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del índice del parámetro product[] en el archivo ajax.php. PrestaShop versions 1.4.7 and 1.4.8 suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/37684 https://www.htbridge.com/advisory/HTB23091 https://www.prestashop.com/download/old/changelog_1.4.9.0.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 2CVE-2011-4545 – Prestashop 1.4.4.1 - 'displayImage.php' HTTP Response Splitting
https://notcve.org/view.php?id=CVE-2011-4545
CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter. Vulnerabilidad de inyección CRLF en admin/displayimage.php en Prestashop v1.4.4.1 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de división de respuesta HTTP a través del parámetro name. • https://www.exploit-db.com/exploits/36345 http://www.securityfocus.com/bid/50785 https://www.dognaedis.com/vulns/DGS-SEC-7.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 22EXPL: 6CVE-2011-4544 – PrestaShop 1.4.4.1 - '/admin/ajaxfilemanager/ajax_save_text.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4544
Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville, (6) CP, (7) Poids, (8) Action, or (9) num parameter to prestashop/modules/mondialrelay/googlemap.php; (10) the num_mode parameter to modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) the Expedition parameter to modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php; or the (12) folder or (13) name parameter to admin/ajaxfilemanager/ajax_save_text.php. Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Prestashop antes de v1.5 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) la dirección o (2) el parámetro relativ_base_dir a modules/mondialrelay/googlemap.php; tambien con los parámetros (3) relativ_base_dir, (4) Pays (5), Ville, (6) CP, (7) Poids, (8) Action, o (9) num para prestashop/modules/mondialrelay/googlemap.php; También el parámetro (10) num_mode a modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) el parámetro de la expedición a modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php, o los parámetros (12) folder o (13) name a admin/ajaxfilemanager/ajax_save_text.php. • https://www.exploit-db.com/exploits/36344 https://www.exploit-db.com/exploits/36342 https://www.exploit-db.com/exploits/36343 https://www.exploit-db.com/exploits/36341 http://www.securityfocus.com/bid/50784 https://www.dognaedis.com/vulns/DGS-SEC-5.html https://www.dognaedis.com/vulns/DGS-SEC-6.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •