CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1230 – Cross-Site Scripting (XSS) vulnerability in Prestashop
https://notcve.org/view.php?id=CVE-2025-1230
12 Feb 2025 — Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. • https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-vulnerability-prestashop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36626
https://notcve.org/view.php?id=CVE-2024-36626
29 Nov 2024 — In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. • https://gist.github.com/1047524396/25c45b61a6374e0fdaf720c9863c6bcd • CWE-476: NULL Pointer Dereference •
CVSS: 9.8EPSS: 21%CPEs: 1EXPL: 1CVE-2024-41651
https://notcve.org/view.php?id=CVE-2024-41651
12 Aug 2024 — An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). • https://github.com/Fckroun/CVE-2024-41651 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34989
https://notcve.org/view.php?id=CVE-2024-34989
21 Jun 2024 — In the module RSI PDF/HTML catalog evolution (prestapdf) <= 7.0.0 from RSI for PrestaShop, a guest can perform SQL injection via `PrestaPDFProductListModuleFrontController::queryDb().' En el módulo Evolución del catálogo RSI PDF/HTML (prestapdf) <= 7.0.0 de RSI para PrestaShop, un invitado puede realizar una inyección SQL a través de `PrestaPDFProductListModuleFrontController::queryDb().' • https://security.friendsofpresta.org/modules/2024/06/20/prestapdf.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34717 – Anonymous PrestaShop customer can download other customers' invoices
https://notcve.org/view.php?id=CVE-2024-34717
14 May 2024 — PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available. PrestaShop es una aplicación web de comercio electrónico de código abierto. • https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 5CVE-2024-34716 – PrestaShop vulnerable to XSS via customer contact form in FO, through file upload
https://notcve.org/view.php?id=CVE-2024-34716
14 May 2024 — PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and t... • https://github.com/aelmokhtar/CVE-2024-34716_PoC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33270
https://notcve.org/view.php?id=CVE-2024-33270
30 Apr 2024 — An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component. Un problema en FME Modules fileuploads v.2.0.3 y anteriores y solucionado en v2.0.4 permite a un atacante remoto obtener información confidencial a través del componente uploadfiles.php. • http://fileuploads.com • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33272
https://notcve.org/view.php?id=CVE-2024-33272
29 Apr 2024 — SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components. Vulnerabilidad de inyección SQL en KnowBand para PrestaShop autosuggest anterior a 2.0.0 permite a un atacante ejecutar comandos SQL arbitrarios a través de los componentes AutosuggestSearchModuleFrontController::initContent() y AutosuggestSearchMo... • https://security.friendsofpresta.org/modules/2024/04/25/autosuggest.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33276
https://notcve.org/view.php?id=CVE-2024-33276
29 Apr 2024 — SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. Vulnerabilidad de inyección SQL en módulos FME preorderandnotication v.3.1.0 y anteriores permite a un atacante remoto ejecutar comandos SQL arbitrarios a través del método PreorderModel::getIdProductAttributesByIdAttributes(). • https://security.friendsofpresta.org/modules/2024/04/25/preorderandnotification.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30511 – WordPress FG PrestaShop to WooCommerce plugin <= 4.45.1 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2024-30511
29 Mar 2024 — Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.45.1. Inserción de información confidencial en la vulnerabilidad del archivo de registro en Frédéric GILLES FG PrestaShop a WooCommerce. Este problema afecta a FG PrestaShop a WooCommerce: desde n/a hasta 4.45.1. The FG PrestaShop to WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up... • https://patchstack.com/database/vulnerability/fg-prestashop-to-woocommerce/wordpress-fg-prestashop-to-woocommerce-plugin-4-45-1-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •