93 results (0.002 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. PrestaShop es una aplicación web de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 3

PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. • https://github.com/aelmokhtar/CVE-2024-34716_PoC https://github.com/aelmokhtar/CVE-2024-34716 https://github.com/TanveerS1ngh/Prestashop-CVE-2024-34716 https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.45.1. Inserción de información confidencial en la vulnerabilidad del archivo de registro en Frédéric GILLES FG PrestaShop a WooCommerce. Este problema afecta a FG PrestaShop a WooCommerce: desde n/a hasta 4.45.1. The FG PrestaShop to WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.45.1. This makes it possible for unauthenticated attackers to view data in log files. • https://patchstack.com/database/vulnerability/fg-prestashop-to-woocommerce/wordpress-fg-prestashop-to-woocommerce-plugin-4-45-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0

PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4. PrestaShop es una plataforma de comercio electrónico de código abierto. A partir de la versión 8.1.0 y anteriores a la versión 8.1.4, PrestaShop es vulnerable a la divulgación de rutas en una variable de JavaScript. • https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr https://owasp.org/www-community/attacks/Full_Path_Disclosure • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. • https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597 https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •