CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5265 – Reflected XSS on AdminAttributesGroups page of PrestaShop
https://notcve.org/view.php?id=CVE-2020-5265
20 Apr 2020 — In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5. En PrestaShop entre las versiones 1.7.6.1 y 1.7.6.5, hay una vulnerabilidad de tipo XSS reflejado en la página AdminAttributesGroups. El problema está corregido en la versión 1.7.6.5. • https://github.com/PrestaShop/PrestaShop/commit/622ba66ffdbf48b399875003e00bc34d8a3ef712 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5250 – Possible information disclosure in PrestaShop
https://notcve.org/view.php?id=CVE-2020-5250
05 Mar 2020 — In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4. En PrestaShop versiones anteriores a 1.7.6.4, cuando un cliente edita su dirección, ellos pueden cambiar libremente el id_address en el formulario y, por lo tanto, robar la dirección de o... • https://github.com/drkbcn/lblfixer_cve2020_5250 • CWE-285: Improper Authorization CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-6632
https://notcve.org/view.php?id=CVE-2020-6632
09 Jan 2020 — In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js. En PrestaShop versión 1.7.6.2, una ataque de tipo XSS puede producirse durante la adición o eliminación de un enlace QuickAccess. Esto está relacionado con los archivos AdminQuickAccessesController.php, themes/default/template/header.tpl y themes/new-theme/js/header.js. • https://github.com/PrestaShop/PrestaShop/pull/17050/commits • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-13461
https://notcve.org/view.php?id=CVE-2019-13461
09 Jul 2019 — In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444. En PrestaShop versiones anteriores a 1.7.6.0 RC2, los parámetros id_address_delivery y id_address_invoice se ven afectados por una vulnerabilidad de Referencia de Objeto Directa no Segura debido a un... • https://assets.prestashop2.com/en/system/files/ps_releases/changelog_1.7.6.0-rc2.txt • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-11876
https://notcve.org/view.php?id=CVE-2019-11876
24 May 2019 — In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. En PrestaShop versión 1.7.5.2, el parámetro shop_country en el archivo install/index.php la instalación script/component se ve afectado por una vulnerabilidad Reflected XSS. la explotación por parte de un actor ma... • https://www.logicallysecure.com/blog/xss-presta-xss-drupal • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •