CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36682
https://notcve.org/view.php?id=CVE-2024-36682
24 Jun 2024 — In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can download all email collected while SHOP is in maintenance mode. Due to a lack of permissions control, a guest can access the txt file which collect email when maintenance is enable which can lead to leak of personal information. • https://security.friendsofpresta.org/modules/2024/06/20/pk_themesettings.html • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33836
https://notcve.org/view.php?id=CVE-2024-33836
19 Jun 2024 — In the module "JA Marketplace" (jamarketplace) up to version 9.0.1 from JA Module for PrestaShop, a guest can upload files with extensions .php. In version 6.X, the method `JmarketplaceproductModuleFrontController::init()` and in version 8.X, the method `JmarketplaceSellerproductModuleFrontController::init()` allow upload of .php files, which will lead to a critical vulnerability. En el módulo "JA Marketplace" (jamarketplace) hasta la versión 9.0.1 del Módulo JA para PrestaShop, un invitado puede cargar arc... • https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-06-18-jamarketplace.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33268
https://notcve.org/view.php?id=CVE-2024-33268
29 Apr 2024 — SQL Injection vulnerability in Digincube mdgiftproduct before 1.4.1 allows an attacker to run arbitrary SQL commands via the MdGiftRule::addGiftToCart method. Una vulnerabilidad de inyección SQL en Digincube mdgiftproduct anterior a 1.4.1 permite a un atacante ejecutar comandos SQL arbitrarios a través del método MdGiftRule::addGiftToCart. • https://security.friendsofpresta.org/modules/2024/04/25/mdgiftproduct.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28395
https://notcve.org/view.php?id=CVE-2024-28395
20 Mar 2024 — SQL injection vulnerability in Best-Kit bestkit_popup v.1.7.2 and before allows a remote attacker to escalate privileges via the bestkit_popup.php component. • https://addons.prestashop.com/en/pop-up/20208-pop-up-schedule-popup-splash-window.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24302
https://notcve.org/view.php?id=CVE-2024-24302
03 Mar 2024 — An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the postProcess() method. Se descubrió un problema en el módulo "Product Designer" (productdesigner) de Tunis Soft para PrestaShop anterior a la versión 1.178.36, que permite a atacantes remotos ejecutar código arbitrario, escalar privilegios y obtener información confidencial a t... • https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-02-29-productdesigner-502.md • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24307
https://notcve.org/view.php?id=CVE-2024-24307
03 Mar 2024 — Path Traversal vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows a remote attacker to escalate privileges and obtain sensitive information via the ajaxProcessCropImage() method. • https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-02-29-productdesigner-22.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50028
https://notcve.org/view.php?id=CVE-2023-50028
19 Jan 2024 — In the module "Sliding cart block" (blockslidingcart) up to version 2.3.8 from PrestashopModules.eu for PrestaShop, a guest can perform SQL injection. En el módulo "Sliding cart block" (blockslidingcart) hasta la versión 2.3.8 de PrestashopModules.eu para PrestaShop, un invitado puede realizar una inyección SQL. • https://addons.prestashop.com/en/express-checkout-process/3321-block-sliding-cart.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •