CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21308 – Improper session management for soft logout
https://notcve.org/view.php?id=CVE-2021-21308
26 Feb 2021 — PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2 PrestaShop es una solución de comercio electrónico de código abierto totalmente escalable. En PrestaShop versiones anteriores a 1.7.2, el sistema de cierre de sesión suave no está completo y un atacante puede realizar peticiones externas y ejecutar comandos del clien... • https://github.com/PrestaShop/PrestaShop/commit/2f673bd93e313f08c35e74decc105f40dc0b7dee • CWE-287: Improper Authentication •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21302 – CSV Injection via csv export
https://notcve.org/view.php?id=CVE-2021-21302
26 Feb 2021 — PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2 PrestaShop es una solución de comercio electrónico de código abierto totalmente escalable. En PrestaShop versiones anteriores a 1.7.2, se presenta una posible vulnerabilidad de inyección de CSV al usar de palabras clave de búsqueda de la tienda por medio del panel de administración... • https://github.com/PrestaShop/PrestaShop/commit/782b1368aa4e94dafe28f57485bffbd8893fbb1e • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-26224 – Improper Access Control in PrestaShop
https://notcve.org/view.php?id=CVE-2020-26224
16 Nov 2020 — In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9. En PrestaShop anterior a versión 1.7.6.9, un atacante es capaz de enumerar todos los pedidos realizados en el sitio web sin estar registrados al abusar de la función que permite a un carrito de compras ser recreado a partir de un pedido ya realizado. El... • https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909 • CWE-284: Improper Access Control •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15162 – Stored XSS in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15162
24 Sep 2020 — In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8. En PrestaShop a partir de la versión 1.5.0.0 y antes de la versión 1.7.6.8, los usuarios pueden enviar archivos comprometidos. Estos archivos adjuntos permitieron a la gente introducir JavaScript malicioso que desencadenó una carga útil de XSS. • https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-4074 – Improper Authentication
https://notcve.org/view.php?id=CVE-2020-4074
02 Jul 2020 — In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6. En PrestaShop desde versión 1.5.0.0 y anteriores a la versión 1.7.6.6, el sistema de autenticación es malformado y un atacante es capaz de falsificar peticiones y ejecutar comandos de administración. El problema es corregido en versión 1.7.6.6 • https://github.com/PrestaShop/PrestaShop/commit/30b6a7bdaca9cb940d3ce462906dbb062499fc30 • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15079 – Improper access control in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15079
02 Jul 2020 — In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6 En PrestaShop desde versión 1.5.0.0 y anteriores a versión 1.7.6.6, se presenta un control de acceso inapropiado en la página Carrier, Module Manager y Module Positions. El problema es corregido en versión 1.7.6.6 • https://github.com/PrestaShop/PrestaShop/commit/8833d9504cc5d69a2a6d10197f56f0c11443cbfa • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15081 – Information exposure in the upload directory in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15081
02 Jul 2020 — In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in the upload directory. En PrestaShop desde versión 1.5.0.0 y anteriores a 1.7.6.6, se presenta una exposición de información en el directorio de carga. El problema es corregido en versión 1.7.6.6. • https://github.com/PrestaShop/PrestaShop/commit/bac9ea6936b073f84b1abd9864317af3713f1901 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-548: Exposure of Information Through Directory Listing •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5279 – Improper Access Control for certain legacy controller in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5279
20 Apr 2020 — In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=Admin... • https://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-13461
https://notcve.org/view.php?id=CVE-2019-13461
09 Jul 2019 — In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. En PrestaShop versiones anteriores a 1.7.6.0 RC2, los parámetros id_address_delivery y id_address_invoice se ven afectados por una vulnerabilidad de Referencia de Objeto Directa no Segura debido a un... • https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 1CVE-2018-20717
https://notcve.org/view.php?id=CVE-2018-20717
15 Jan 2019 — In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object chain in order to gain Remote Code Execution. This occurs because protection against serialized objects looks for a 0: followed by an integer, but does not consider 0:+ followed by an integer. En la sección de pedidos de PrestaShop, ... • https://blog.ripstech.com/2018/prestashop-remote-code-execution • CWE-94: Improper Control of Generation of Code ('Code Injection') •