CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34717 – Anonymous PrestaShop customer can download other customers' invoices
https://notcve.org/view.php?id=CVE-2024-34717
14 May 2024 — PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. PrestaShop es una aplicación web de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 4CVE-2024-34716 – PrestaShop vulnerable to XSS via customer contact form in FO, through file upload
https://notcve.org/view.php?id=CVE-2024-34716
14 May 2024 — PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and t... • https://github.com/aelmokhtar/CVE-2024-34716_PoC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •