CVE-2023-39524 – PrestaShop vulnerable to boolean SQL injection in search product in BO
https://notcve.org/view.php?id=CVE-2023-39524
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. • https://github.com/PrestaShop/PrestaShop/commit/2047d4c053043102bc46a37d383b392704bf14d7 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-75p5-jwx4-qw9h • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-30151
https://notcve.org/view.php?id=CVE-2023-30151
A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter. • https://addons.prestashop.com/en/shipping-carriers/1755-boxtal-connect-turnkey-shipping-solution.html https://help.boxtal.com/hc/fr/articles/360001342977-J-ai-besoin-du-module-PrestaShop-ancienne-version-Boxtal-Envoimoinscher-pour-mon-site https://security.friendsofpresta.org/module/2023/06/20/envoimoinscher.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-31672
https://notcve.org/view.php?id=CVE-2023-31672
In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability. Se ha descubierto una vulnerabilidad de inyección SQL en las versiones de PrestaShop anteriores a v2.4.3 en el módulo "Length, weight or volume sell". • https://friends-of-presta.github.io/security-advisories/modules/2023/06/15/ailinear.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-30149
https://notcve.org/view.php?id=CVE-2023-30149
SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller. • https://addons.prestashop.com/fr/inscription-processus-de-commande/6097-city-autocomplete.html https://friends-of-presta.github.io/security-advisories/module/2023/06/01/cityautocomplete.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-30839 – PrestaShop vulnerable to SQL filter bypass leading to arbitrary write requests using "SQL Manager"
https://notcve.org/view.php?id=CVE-2023-30839
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds. • https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30 https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •