CVE-2023-30149
https://notcve.org/view.php?id=CVE-2023-30149
SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller. • https://addons.prestashop.com/fr/inscription-processus-de-commande/6097-city-autocomplete.html https://friends-of-presta.github.io/security-advisories/module/2023/06/01/cityautocomplete.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-30192
https://notcve.org/view.php?id=CVE-2023-30192
Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find(). • https://friends-of-presta.github.io/security-advisories/modules/2023/05/11/possearchproducts.html https://themeforest.net/user/posthemes/portfolio • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-30194
https://notcve.org/view.php?id=CVE-2023-30194
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook(). • https://friends-of-presta.github.io/security-advisories/modules/2023/05/09/posstaticfooter.html https://themeforest.net/user/posthemes/portfolio • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-30282
https://notcve.org/view.php?id=CVE-2023-30282
PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table. • https://friends-of-presta.github.io/security-advisories/modules/2023/05/02/scexportcustomers.html •
CVE-2023-30839 – PrestaShop vulnerable to SQL filter bypass leading to arbitrary write requests using "SQL Manager"
https://notcve.org/view.php?id=CVE-2023-30839
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds. • https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30 https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •