CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33276
https://notcve.org/view.php?id=CVE-2024-33276
29 Apr 2024 — SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. Vulnerabilidad de inyección SQL en módulos FME preorderandnotication v.3.1.0 y anteriores permite a un atacante remoto ejecutar comandos SQL arbitrarios a través del método PreorderModel::getIdProductAttributesByIdAttributes(). • https://security.friendsofpresta.org/modules/2024/04/25/preorderandnotification.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30511 – WordPress FG PrestaShop to WooCommerce plugin <= 4.45.1 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2024-30511
29 Mar 2024 — Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.45.1. Inserción de información confidencial en la vulnerabilidad del archivo de registro en Frédéric GILLES FG PrestaShop a WooCommerce. Este problema afecta a FG PrestaShop a WooCommerce: desde n/a hasta 4.45.1. The FG PrestaShop to WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up... • https://patchstack.com/database/vulnerability/fg-prestashop-to-woocommerce/wordpress-fg-prestashop-to-woocommerce-plugin-4-45-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28393
https://notcve.org/view.php?id=CVE-2024-28393
25 Mar 2024 — SQL injection vulnerability in scalapay v.1.2.41 and before allows a remote attacker to escalate privileges via the ScalapayReturnModuleFrontController::postProcess() method. Vulnerabilidad de inyección SQL en Scalapay v.1.2.41 y anteriores permite a un atacante remoto escalar privilegios a través del método ScalapayReturnModuleFrontController::postProcess(). • https://addons.prestashop.com/fr/paiement-en-plusieurs-fois/87023-scalapay-payez-en-3-fois-sans-frais.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28392
https://notcve.org/view.php?id=CVE-2024-28392
20 Mar 2024 — SQL injection vulnerability in pscartabandonmentpro v.2.0.11 and before allows a remote attacker to escalate privileges via the pscartabandonmentproFrontCAPUnsubscribeJobModuleFrontController::setEmailVisualized() method. • https://addons.prestashop.com/en/remarketing-shopping-cart-abandonment/16535-abandoned-cart-reminder-pro.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25845
https://notcve.org/view.php?id=CVE-2024-25845
08 Mar 2024 — In the module "CD Custom Fields 4 Orders" (cdcustomfields4orders) <= 1.0.0 from Cleanpresta.com for PrestaShop, a guest can perform SQL injection in affected versions. En el módulo "CD Custom Fields 4 Orders" (cdcustomfields4orders) <= 1.0.0 de Cleanpresta.com para PrestaShop, un invitado puede realizar inyección SQL en las versiones afectadas. • https://security.friendsofpresta.org/modules/2024/03/05/cdcustomfields4orders.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26129 – Prestashop vulnerable to path disclosure in JavaScript variable
https://notcve.org/view.php?id=CVE-2024-26129
19 Feb 2024 — PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. PrestaShop es una plataforma de comercio electrónico de código abierto. A partir de la versión 8.1.0 y anteriores a la versión 8.1.4, PrestaShop es vulnerable a la divulgación de rutas en una variable de JavaScript. • https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48926
https://notcve.org/view.php?id=CVE-2023-48926
16 Jan 2024 — An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. Un problema en 202 ecommerce Advanced Loyalty Program: Loyalty Points anteriores a v2.3.4 para PrestaShop permite a atacantes no autenticados cambiar arbitrariamente el estado de un pedido. • https://github.com/202ecommerce/security-advisories/security/advisories/GHSA-jp2c-mj65-qpmw • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21628 – XSS can be stored in DB from "add a message form" in order detail page (FO)
https://notcve.org/view.php?id=CVE-2024-21628
02 Jan 2024 — PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messag... • https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21627 – Some attribute not escaped in Validate::isCleanHTML method
https://notcve.org/view.php?id=CVE-2024-21627
02 Jan 2024 — PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. • https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47110 – Any value can be changed in the configuration table by an employee having access to block reassurance module
https://notcve.org/view.php?id=CVE-2023-47110
09 Nov 2023 — blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4. blockreassurance agrega un bloque de información destinado a ofrecer información útil para asegurar a los clientes que su tienda es confiable. Una función ajax en el módulo blockreassurance permite modificar cualquier valor... • https://github.com/PrestaShop/blockreassurance/security/advisories/GHSA-xfm3-hjcc-gv78 • CWE-284: Improper Access Control •