CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46158 – Potential Information exposure in the upload directory in PrestaShop
https://notcve.org/view.php?id=CVE-2022-46158
08 Dec 2022 — PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload directory without appropriate permissions. This issue has been addressed and users are advised to upgrade to version 1.7.8.8. There are no known workarounds for this issue. • https://github.com/PrestaShop/PrestaShop/commit/8684d429fb7c3bb51efb098e8b92a1fd2958f8cf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35933 – PrestaShop module Product Comments vulnerable to cross-site scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-35933
02 Sep 2022 — This package is a PrestaShop module that allows users to post reviews and rate products. There is a vulnerability where the attacker could steal an administrator's cookie. The issue is fixed in version 5.0.2. Este paquete es un módulo de PrestaShop que permite a usuarios publicar reseñas y calificar productos. Se presenta una vulnerabilidad por la que el atacante podría robar la cookie de un administrador. • https://github.com/PrestaShop/productcomments/commit/314456d739155aa71f0b235827e8e0f24b97c26b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 8%CPEs: 1EXPL: 1CVE-2022-31181 – Remote code execution in prestashop
https://notcve.org/view.php?id=CVE-2022-31181
01 Aug 2022 — PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature. • https://github.com/drkbcn/lblfixer_cve_2022_31181 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 3CVE-2020-21967 – PrestaShop 1.7.6.7 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-21967
13 Jul 2022 — File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add new file page. Una vulnerabilidad en la carga de archivos en la funcionalidad Catalog en Prestashop versión 1.7.6.7 ,permite a atacantes remotos ejecutar código arbitrario por medio de la página add new file PrestaShop version 1.7.6.7 suffers from a cross site scripting vulnerability via the file upload functionality. • https://packetstorm.news/files/id/167742 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 13%CPEs: 1EXPL: 5CVE-2022-31101 – SQL Injection in prestashop/blockwishlist
https://notcve.org/view.php?id=CVE-2022-31101
27 Jun 2022 — prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue. prestashop/blockwishlist es una extensión de prestashop que añade un bloque que contiene las listas de deseos del cliente. • https://packetstorm.news/files/id/168003 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21686 – Server Side Twig Template Injection in PrestaShop
https://notcve.org/view.php?id=CVE-2022-21686
26 Jan 2022 — PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds. PrestaShop es una plataforma de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-20001
https://notcve.org/view.php?id=CVE-2012-20001
21 Dec 2021 — PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field. PrestaShop versiones anteriores a 1.5.2 permite un ataque de tipo XSS por medio de la subcadena "(object data="data:text/html" en el campo del mensaje • https://seclists.org/bugtraq/2012/Nov/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 14%CPEs: 1EXPL: 1CVE-2021-43789 – Blind SQLi using Search filters in PrestaShop
https://notcve.org/view.php?id=CVE-2021-43789
07 Dec 2021 — PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2. PrestaShop es una aplicación web de comercio electrónico de código abierto. Las versiones de PrestaShop anteriores a 1.7.8.2, son vulnerables a una inyección SQL ciega usando filtros de búsqueda con los parámetros "orderBy" y "sortOrder". • https://github.com/numanturle/CVE-2021-43789 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21418 – Potential XSS injection in the newsletter conditions field
https://notcve.org/view.php?id=CVE-2021-21418
31 Mar 2021 — ps_emailsubscription is a newsletter subscription module for the PrestaShop platform. An employee can inject javascript in the newsletter condition field that will then be executed on the front office The issue has been fixed in 2.6.1 ps_emailsubscription es un módulo de suscripción al boletín para la plataforma PrestaShop. Un empleado puede inyectar javascript en el campo de condición del boletín que luego se ejecutará en la oficina principal. El problema se ha solucionado en la versión 2.6.1. • https://github.com/PrestaShop/ps_emailsubscription/commit/664ffb225e2afb4a32640bbedad667dc6e660b70 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21398 – Possible XSS injection through DataColumn Grid class
https://notcve.org/view.php?id=CVE-2021-21398
30 Mar 2021 — PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fixed in 1.7.7.3 PrestaShop es una solución de comercio electrónico de código abierto totalmente escalable. En PrestaShop versiones anteriores a 1.7.7.3, un atacante puede inyectar HTML cuando el Grid Column Type DataColumn es usada incorrectamente. El problema se soluciona en la versión 1.7.7.3 • https://github.com/PrestaShop/PrestaShop/commit/aaaba8177f3b3c510461b5e3249e30e60f900205 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •