CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-21967 – PrestaShop 1.7.6.7 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-21967
File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add new file page. Una vulnerabilidad en la carga de archivos en la funcionalidad Catalog en Prestashop versión 1.7.6.7 ,permite a atacantes remotos ejecutar código arbitrario por medio de la página add new file PrestaShop version 1.7.6.7 suffers from a cross site scripting vulnerability via the file upload functionality. • http://packetstormsecurity.com/files/167742/PrestaShop-1.7.6.7-Cross-Site-Scripting.html https://github.com/PrestaShop/PrestaShop/issues/20306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21686 – Server Side Twig Template Injection in PrestaShop
https://notcve.org/view.php?id=CVE-2022-21686
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds. PrestaShop es una plataforma de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-20001
https://notcve.org/view.php?id=CVE-2012-20001
PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field. PrestaShop versiones anteriores a 1.5.2 permite un ataque de tipo XSS por medio de la subcadena "(object data="data:text/html" en el campo del mensaje • https://seclists.org/bugtraq/2012/Nov/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43789 – Blind SQLi using Search filters in PrestaShop
https://notcve.org/view.php?id=CVE-2021-43789
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2. PrestaShop es una aplicación web de comercio electrónico de código abierto. Las versiones de PrestaShop anteriores a 1.7.8.2, son vulnerables a una inyección SQL ciega usando filtros de búsqueda con los parámetros "orderBy" y "sortOrder". • https://github.com/numanturle/CVE-2021-43789 https://github.com/PrestaShop/PrestaShop/issues/26623 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.2 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6xxj-gcjq-wgf4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21398 – Possible XSS injection through DataColumn Grid class
https://notcve.org/view.php?id=CVE-2021-21398
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fixed in 1.7.7.3 PrestaShop es una solución de comercio electrónico de código abierto totalmente escalable. En PrestaShop versiones anteriores a 1.7.7.3, un atacante puede inyectar HTML cuando el Grid Column Type DataColumn es usada incorrectamente. El problema se soluciona en la versión 1.7.7.3 • https://github.com/PrestaShop/PrestaShop/commit/aaaba8177f3b3c510461b5e3249e30e60f900205 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.3 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fhhq-4x46-qx77 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •