Page 3 of 118 results (0.006 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. • https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j • CWE-269: Improper Privilege Management •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0

PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. • https://github.com/PrestaShop/PrestaShop/commit/ce1f67083537194e974caf86c57e547a0aaa46cd https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6jmf-2pfc-q9m7 • CWE-269: Improper Privilege Management •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter. El complemento M4 PDF para sitios Prestashop, en su versión 3.2.3 y anteriores, es vulnerable a la creación de Documentos HTML arbitraria. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The “f” parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists. El complemento M4 PDF para sitios Prestashop, en su versión 3.2.3 y anteriores, es vulnerable a una vulnerabilidad de Directory Traversal. El parámetro “f” no está marcado correctamente en el recurso /m4pdf/pdf.php, devolviendo cualquier archivo dada su ruta relativa. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. PrestaShop es una aplicación web de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/commit/6ce750b2367a7309b6bf50166f1873cb86ad57e9 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4gr-v679-42p7 • CWE-20: Improper Input Validation •