CVE-2020-15162 – Stored XSS in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15162
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8. En PrestaShop a partir de la versión 1.5.0.0 y antes de la versión 1.7.6.8, los usuarios pueden enviar archivos comprometidos. Estos archivos adjuntos permitieron a la gente introducir JavaScript malicioso que desencadenó una carga útil de XSS. • https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-15160 – Blind SQL Injection in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15160
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8 PrestaShop a partir de la versión 1.7.5.0 y antes de la versión 1.7.6.8 es vulnerable a un ataque ciego de Inyección SQL en la página de edición del Catálogo de Productos con parámetro de localización. El problema se soluciona en la versión 1.7.6.8 PrestaShop version 1.7.6.7 suffers from a remote blind SQL injection vulnerability. • https://www.exploit-db.com/exploits/49755 http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-15161 – Potential XSS in PrestaShop
https://notcve.org/view.php?id=CVE-2020-15161
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8 En PrestaShop a partir de la versión 1.6.0.4 y antes de la versión 1.7.6.8 un atacante es capaz de inyectar javascript mientras usa el formulario de contacto. El problema se soluciona en la versión 1.7.6.8 • https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672 https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •