CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1230 – Cross-Site Scripting (XSS) vulnerability in Prestashop
https://notcve.org/view.php?id=CVE-2025-1230
12 Feb 2025 — Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. • https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-vulnerability-prestashop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24027 – ps_contactinfo has potential XSS due to usage of the nofilter tag in template
https://notcve.org/view.php?id=CVE-2025-24027
22 Jan 2025 — ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. For example, if the shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored cross-site scripting in formatting objects. Commit d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39 keeps fo... • https://github.com/PrestaShop/ps_contactinfo/commit/d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36626
https://notcve.org/view.php?id=CVE-2024-36626
29 Nov 2024 — In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. • https://gist.github.com/1047524396/25c45b61a6374e0fdaf720c9863c6bcd • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 21%CPEs: 1EXPL: 1CVE-2024-41651
https://notcve.org/view.php?id=CVE-2024-41651
12 Aug 2024 — An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). • https://github.com/Fckroun/CVE-2024-41651 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50029
https://notcve.org/view.php?id=CVE-2023-50029
24 Jun 2024 — PHP Injection vulnerability in the module "M4 PDF Extensions" (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via the M4PDF::saveTemplate() method. Vulnerabilidad de inyección de PHP en el módulo "M4 PDF Extensions" (m4pdf) hasta la versión 3.3.2 de PrestaAddons para PrestaShop permite a los atacantes ejecutar código de su elección a través del método M4PDF::saveTemplate(). • https://github.com/absholi7ly/PHP-Injection-in-M4-PDF-Extensions • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34988
https://notcve.org/view.php?id=CVE-2024-34988
24 Jun 2024 — SQL injection vulnerability in the module "Complete for Create a Quote in Frontend + Backend Pro" (askforaquotemodul) <= 1.0.51 from Buy Addons for PrestaShop allows attackers to view sensitive information and cause other impacts via methods `AskforaquotemodulcustomernewquoteModuleFrontController::run()`, `AskforaquotemoduladdproductnewquoteModuleFrontController::run()`, `AskforaquotemodulCouponcodeModuleFrontController::run()`, `AskforaquotemodulgetshippingcostModuleFrontController::run()`, `Askforaquotemo... • https://security.friendsofpresta.org/modules/2024/06/20/askforaquotemodul.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34991
https://notcve.org/view.php?id=CVE-2024-34991
24 Jun 2024 — In the module "Axepta" (axepta) before 1.3.4 from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc. without restriction due to a lack of permissions control. En el módulo "Axepta" (axepta) anterior a 1.3.4 de Quadra Informatique para PrestaShop, un invitado puede descargar información parcial de la tarjeta de crédito (fecha de vencimiento) / dirección postal / correo electrónico / etc. sin restricciones debido a la falta de... • https://security.friendsofpresta.org/modules/2024/06/20/axepta.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34992
https://notcve.org/view.php?id=CVE-2024-34992
24 Jun 2024 — SQL Injection vulnerability in the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop allows attackers to obtain sensitive information and cause other impacts via 'Tickets::getsearchedtickets()' Vulnerabilidad de inyección SQL en el módulo "Help Desk - Customer Support Management System" (servicio de ayuda) hasta la versión 2.4.0 de los módulos FME para PrestaShop permite a atacantes obtener información sensible y causar otros impactos a tr... • https://security.friendsofpresta.org/modules/2024/06/20/helpdesk.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34989
https://notcve.org/view.php?id=CVE-2024-34989
21 Jun 2024 — In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().' En el módulo Evolución del catálogo RSI PDF/HTML (prestapdf) <= 7.0.0 de RSI para PrestaShop, un invitado puede realizar una inyección SQL a través de `PrestaPDFProductListModuleFrontController::queryDb().' • https://security.friendsofpresta.org/modules/2024/06/20/prestapdf.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36677
https://notcve.org/view.php?id=CVE-2024-36677
19 Jun 2024 — In the module "Login as customer PRO" (loginascustomerpro) <1.2.7 from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is stolen. En el módulo "Iniciar sesión como cliente PRO" (loginascustomerpro) <1.2.7 de Weblir para PrestaShop, un invitado puede acceder a un enlace directo para conectarse a cada cuenta de cliente de la Tienda si el módulo no está instalado O si hay un secret... • https://security.friendsofpresta.org/modules/2024/06/18/loginascustomerpro.html • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •