CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46158 – Potential Information exposure in the upload directory in PrestaShop
https://notcve.org/view.php?id=CVE-2022-46158
PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload directory without appropriate permissions. This issue has been addressed and users are advised to upgrade to version 1.7.8.8. There are no known workarounds for this issue. • https://github.com/PrestaShop/PrestaShop/commit/8684d429fb7c3bb51efb098e8b92a1fd2958f8cf https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-9qgp-9wwc-v29r • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31181 – Remote code execution in prestashop
https://notcve.org/view.php?id=CVE-2022-31181
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature. • https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-21967 – PrestaShop 1.7.6.7 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-21967
File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add new file page. Una vulnerabilidad en la carga de archivos en la funcionalidad Catalog en Prestashop versión 1.7.6.7 ,permite a atacantes remotos ejecutar código arbitrario por medio de la página add new file PrestaShop version 1.7.6.7 suffers from a cross site scripting vulnerability via the file upload functionality. • http://packetstormsecurity.com/files/167742/PrestaShop-1.7.6.7-Cross-Site-Scripting.html https://github.com/PrestaShop/PrestaShop/issues/20306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21686 – Server Side Twig Template Injection in PrestaShop
https://notcve.org/view.php?id=CVE-2022-21686
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds. PrestaShop es una plataforma de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-20001
https://notcve.org/view.php?id=CVE-2012-20001
PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field. PrestaShop versiones anteriores a 1.5.2 permite un ataque de tipo XSS por medio de la subcadena "(object data="data:text/html" en el campo del mensaje • https://seclists.org/bugtraq/2012/Nov/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •