CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43664 – Employee without any access rights can list all installed modules in Prestashop
https://notcve.org/view.php?id=CVE-2023-43664
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. • https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j • CWE-269: Improper Privilege Management •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43663 – Improper Privilege Management in Prestashop
https://notcve.org/view.php?id=CVE-2023-43663
PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. • https://github.com/PrestaShop/PrestaShop/commit/ce1f67083537194e974caf86c57e547a0aaa46cd https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6jmf-2pfc-q9m7 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45448 – Cross-site Scripting in M4 PDF plugin for Prestashop sites
https://notcve.org/view.php?id=CVE-2022-45448
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter. El complemento M4 PDF para sitios Prestashop, en su versión 3.2.3 y anteriores, es vulnerable a la creación de Documentos HTML arbitraria. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45447 – Path Traversal in M4 PDF plugin for Prestashop sites
https://notcve.org/view.php?id=CVE-2022-45447
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The âfâ parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists. El complemento M4 PDF para sitios Prestashop, en su versión 3.2.3 y anteriores, es vulnerable a una vulnerabilidad de Directory Traversal. El parámetro âfâ no está marcado correctamente en el recurso /m4pdf/pdf.php, devolviendo cualquier archivo dada su ruta relativa. • https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-m4-pdf-plugin-prestashop-sites • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39530 – PrestaShop vulnerable to file deletion via CustomerMessage
https://notcve.org/view.php?id=CVE-2023-39530
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. PrestaShop es una aplicación web de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/commit/6ce750b2367a7309b6bf50166f1873cb86ad57e9 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4gr-v679-42p7 • CWE-20: Improper Input Validation •