CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5287 – Improper access control on customers search in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5287
20 Apr 2020 — In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5. En PrestaShop entre las versiones 1.5.5.0 y 1.7.6.5, hay un control de acceso inapropiado en la búsqueda de clientes. El problema se corrigió en la versión 1.7.6.5. • https://github.com/PrestaShop/PrestaShop/commit/27e49d89808f1d76eb909a595f344a6739bc0b52 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5271 – Reflected XSS with dashboard calendar of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5271
20 Apr 2020 — In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_from` and `date_to` parameters in the dashboard page This problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.6.0.0 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado con los parámetros "date_from" y "date_to" en la página del panel de control. Este problema es corregido en la versión 1.7.6.5 • https://github.com/PrestaShop/PrestaShop/commit/c464518d2aaf195007a1eb055fce64a9a027e00a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5272 – Reflected XSS on Search page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5272
20 Apr 2020 — In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters. The problem is patched in 1.7.6.5 En PrestaShop entre las versiones 1.5.5.0 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado en la página Search con los parámetros "alias" y "search". El problema está solucionado en la versión 1.7.6.5 • https://github.com/PrestaShop/PrestaShop/commit/d3bf027fa37e8105fed3c809d636ebe787e43f46 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5278 – Reflected XSS on Exception page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5278
20 Apr 2020 — In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5 En PrestaShop entre las versiones 1.5.4.0 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado en la página Exception. El problema es corregido en la versión 1.7.6.5 • https://github.com/PrestaShop/PrestaShop/commit/ea85210d6e5d81f058b55764bc4608cdb0b36c5d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5279 – Improper Access Control for certain legacy controller in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5279
20 Apr 2020 — In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=Admin... • https://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 5%CPEs: 3EXPL: 1CVE-2019-19594
https://notcve.org/view.php?id=CVE-2019-19594
05 Dec 2019 — reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file. En el archivo reset/modules/fotoliaFoto/multi_upload.php en la integración RESET.PRO Adobe Stock API para PrestaShop versiones 1.6 y 1.7, permite a atacantes remotos ejecutar código arbitrario cargando un archivo .php. • https://ia-informatica.com/it/CVE-2019-19594 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 5%CPEs: 3EXPL: 1CVE-2019-19595
https://notcve.org/view.php?id=CVE-2019-19595
05 Dec 2019 — reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file. El archivo reset/modules/advanced_form_maker_edit/multiupload/upload.php en la integración de RESET.PRO Adobe Stock API versión 4.8 para PrestaShop, permite a atacantes remotos ejecutar código arbitrario cargando un archivo .php. • https://ia-informatica.com/it/CVE-2019-19595 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-13461
https://notcve.org/view.php?id=CVE-2019-13461
09 Jul 2019 — In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. En PrestaShop versiones anteriores a 1.7.6.0 RC2, los parámetros id_address_delivery y id_address_invoice se ven afectados por una vulnerabilidad de Referencia de Objeto Directa no Segura debido a un... • https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 1CVE-2018-20717
https://notcve.org/view.php?id=CVE-2018-20717
15 Jan 2019 — In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object chain in order to gain Remote Code Execution. This occurs because protection against serialized objects looks for a 0: followed by an integer, but does not consider 0:+ followed by an integer. En la sección de pedidos de PrestaShop, ... • https://blog.ripstech.com/2018/prestashop-remote-code-execution • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 11%CPEs: 2EXPL: 1CVE-2018-19355
https://notcve.org/view.php?id=CVE-2018-19355
19 Nov 2018 — modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles). modules/orderfiles/ajax/upload.php en el addon Customer Files Upload 2018-08-01 para PrestaSho... • https://ia-informatica.com/it/CVE-2018-19355 • CWE-434: Unrestricted Upload of File with Dangerous Type •