PrestaShop Open source ecommerce solution
Products by PrestaShop Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 3 vulnerabilities in PrestaShop with an average score of 5.8 out of ten. Last year PrestaShop had 31 security vulnerabilities published. Right now, PrestaShop is on track to have less security vulnerabilities in 2024 than it did last year. Last year, the average CVE base score was greater by 2.46
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 3 | 5.83 |
2023 | 31 | 8.29 |
2022 | 6 | 7.27 |
2021 | 7 | 7.54 |
2020 | 35 | 6.41 |
2019 | 3 | 7.47 |
2018 | 9 | 8.22 |
It may take a day or so for new PrestaShop vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent PrestaShop Security Vulnerabilities
An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop
CVE-2023-48926
5.3 - Medium
- January 16, 2024
An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status.
AuthZ
PrestaShop is an open-source e-commerce platform
CVE-2024-21628
6.1 - Medium
- January 02, 2024
PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.
XSS
PrestaShop is an open-source e-commerce platform
CVE-2024-21627
6.1 - Medium
- January 02, 2024
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
XSS
blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy
CVE-2023-47110
5.3 - Medium
- November 09, 2023
blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4.
PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers
CVE-2023-47109
8.1 - High
- November 08, 2023
PrestaShop blockreassurance adds an information block aimed at offering helpful information to reassure customers that the store is trustworthy. When adding a block in blockreassurance module, a BO user can modify the http request and give the path of any file in the project instead of an image. When deleting the block from the BO, the file will be deleted. It is possible to make the website completely unavailable by removing index.php for example. This issue has been patched in version 5.1.4.
Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection
CVE-2023-36263
9.8 - Critical
- October 31, 2023
Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL Injection. OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
SQL Injection
PrestaShop is an Open Source e-commerce web application
CVE-2023-43663
4.3 - Medium
- September 28, 2023
PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.
Improper Privilege Management
PrestaShop is an Open Source e-commerce web application
CVE-2023-43664
4.3 - Medium
- September 28, 2023
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.
Improper Privilege Management
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability
CVE-2022-45448
6.1 - Medium
- September 20, 2023
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to an arbitrary HTML Document crafting vulnerability. The resource /m4pdf/pdf.php uses templates to dynamically create documents. In the case that the template does not exist, the application will return a fixed document with a message in mpdf format. An attacker could exploit this vulnerability by inputting a valid HTML/CSS document as the value of the parameter.
XSS
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability
CVE-2022-45447
6.5 - Medium
- September 20, 2023
M4 PDF plugin for Prestashop sites, in its 3.2.3 version and before, is vulnerable to a directory traversal vulnerability. The f parameter is not properly checked in the resource /m4pdf/pdf.php, returning any file given its relative path. An attacker that exploits this vulnerability could download /etc/passwd from the server if the file exists.
Directory traversal
PrestaShop is an open source e-commerce web application
CVE-2023-39525
9.1 - Critical
- August 07, 2023
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
Directory traversal
PrestaShop is an open source e-commerce web application
CVE-2023-39530
9.1 - Critical
- August 07, 2023
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
Improper Input Validation
PrestaShop is an open source e-commerce web application
CVE-2023-39529
9.1 - Critical
- August 07, 2023
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
PrestaShop is an open source e-commerce web application
CVE-2023-39528
8.6 - High
- August 07, 2023
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
Directory traversal
PrestaShop is an open source e-commerce web application
CVE-2023-39527
6.1 - Medium
- August 07, 2023
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
XSS
PrestaShop is an open source e-commerce web application
CVE-2023-39526
9.8 - Critical
- August 07, 2023
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
SQL Injection
PrestaShop is an open source e-commerce web application
CVE-2023-39524
9.8 - Critical
- August 07, 2023
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
SQL Injection
An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24
CVE-2023-33777
5.3 - Medium
- July 25, 2023
An issue in /functions/fbaorder.php of Prestashop amazon before v5.2.24 allows attackers to execute a directory traversal attack.
Directory traversal
An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1
CVE-2023-30153
9.8 - Critical
- July 18, 2023
An SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the ajax.php front controller.
SQL Injection
A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10
CVE-2023-30151
9.8 - Critical
- July 13, 2023
A SQL injection vulnerability in the Boxtal (envoimoinscher) module for PrestaShop, after version 3.1.10, allows remote attackers to execute arbitrary SQL commands via the `key` GET parameter.
SQL Injection
In the PrestaShop < 2.4.3 module "Length
CVE-2023-31672
9.8 - Critical
- June 15, 2023
In the PrestaShop < 2.4.3 module "Length, weight or volume sell" (ailinear) there is a SQL injection vulnerability.
SQL Injection
Prestashop possearchproducts 1.7 is vulnerable to SQL Injection
CVE-2023-30192
9.8 - Critical
- May 12, 2023
Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find().
SQL Injection
** REJECT ** DO NOT USE THIS CVE RECORD
CVE-2023-31508
- May 11, 2023
** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2020-15178. Reason: This record is a duplicate of CVE-2020-15178. Notes: All CVE users should reference CVE-2020-15178 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection
CVE-2023-30194
9.8 - Critical
- May 10, 2023
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().
SQL Injection
PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control
CVE-2023-30282
7.5 - High
- May 04, 2023
PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table.
PrestaShop is an Open Source e-commerce web application
CVE-2023-30838
9.9 - Critical
- April 25, 2023
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue.
XSS
PrestaShop is an Open Source e-commerce web application
CVE-2023-30839
8.8 - High
- April 25, 2023
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.
SQL Injection
PrestaShop is an Open Source e-commerce web application
CVE-2023-30545
6.5 - Medium
- April 25, 2023
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9
SQL Injection
The eo_tags package before 1.3.0 for PrestaShop
CVE-2023-27569
9.8 - Critical
- March 21, 2023
The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header.
SQL Injection
The eo_tags package before 1.4.19 for PrestaShop
CVE-2023-27570
9.8 - Critical
- March 21, 2023
The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie.
SQL Injection
PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection.
CVE-2023-25206
8.8 - High
- March 14, 2023
PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection.
SQL Injection
PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection
CVE-2023-25207
9.8 - Critical
- March 13, 2023
PrestaShop dpdfrance <6.1.3 is vulnerable to SQL Injection via dpdfrance/ajax.php.
SQL Injection
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF)
CVE-2023-25170
8.8 - High
- March 13, 2023
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.
Session Riding
In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user
CVE-2023-24763
8.8 - High
- March 06, 2023
In the module "Xen Forum" (xenforum) for PrestaShop, an authenticated user can perform SQL injection in versions up to 2.13.0.
SQL Injection
PrestaShop is an open-source e-commerce solution
CVE-2022-46158
4.3 - Medium
- December 08, 2022
PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload directory without appropriate permissions. This issue has been addressed and users are advised to upgrade to version 1.7.8.8. There are no known workarounds for this issue.
AuthZ
This package is a PrestaShop module that allows users to post reviews and rate products
CVE-2022-35933
6.1 - Medium
- September 02, 2022
This package is a PrestaShop module that allows users to post reviews and rate products. There is a vulnerability where the attacker could steal an administrator's cookie. The issue is fixed in version 5.0.2.
XSS
PrestaShop is an Open Source e-commerce platform
CVE-2022-31181
9.8 - Critical
- August 01, 2022
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
SQL Injection
File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7
CVE-2020-21967
4.8 - Medium
- July 13, 2022
File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add new file page.
XSS
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists
CVE-2022-31101
8.8 - High
- June 27, 2022
prestashop/blockwishlist is a prestashop extension which adds a block containing the customer's wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.
SQL Injection
PrestaShop is an Open Source e-commerce platform
CVE-2022-21686
9.8 - Critical
- January 26, 2022
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.
Code Injection
PrestaShop before 1.5.2
CVE-2012-20001
6.1 - Medium
- December 21, 2021
PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field.
XSS
PrestaShop is an Open Source e-commerce web application
CVE-2021-43789
9.8 - Critical
- December 07, 2021
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.
SQL Injection
ps_emailsubscription is a newsletter subscription module for the PrestaShop platform
CVE-2021-21418
5.4 - Medium
- March 31, 2021
ps_emailsubscription is a newsletter subscription module for the PrestaShop platform. An employee can inject javascript in the newsletter condition field that will then be executed on the front office The issue has been fixed in 2.6.1
XSS
PrestaShop is a fully scalable open source e-commerce solution
CVE-2021-21398
5.4 - Medium
- March 30, 2021
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fixed in 1.7.7.3
XSS
PrestaShop is a fully scalable open source e-commerce solution
CVE-2021-21308
9.1 - Critical
- February 26, 2021
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2
authentification
PrestaShop is a fully scalable open source e-commerce solution
CVE-2021-21302
7.2 - High
- February 26, 2021
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2
CSV Injection
The store system in PrestaShop 1.7.7.0
CVE-2021-3110
9.8 - Critical
- January 20, 2021
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
SQL Injection
In the PrestaShop module "productcomments" before version 4.2.1, an attacker
CVE-2020-26248
8.2 - High
- December 03, 2020
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
SQL Injection
In PrestaShop Product Comments before version 4.2.0
CVE-2020-26225
6.1 - Medium
- November 16, 2020
In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The problem was introduced in version 4.0.0 and is fixed in 4.2.0
XSS
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function
CVE-2020-26224
7.5 - High
- November 16, 2020
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9.
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files
CVE-2020-15162
5.4 - Medium
- September 24, 2020
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
XSS
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter
CVE-2020-15160
9.8 - Critical
- September 24, 2020
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
SQL Injection
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form
CVE-2020-15161
6.1 - Medium
- September 24, 2020
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8
XSS
In PrestaShop Dashboard Productions before version 2.1.0, there is improper authorization
CVE-2020-15102
6.5 - Medium
- July 21, 2020
In PrestaShop Dashboard Productions before version 2.1.0, there is improper authorization which enables an attacker to change the configuration. The problem is fixed in 2.1.0.
AuthZ
In PrestaShop from version 1.7.4.0 and before version 1.7.6.6
CVE-2020-15080
5.3 - Medium
- July 02, 2020
In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.
AuthZ
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6
CVE-2020-4074
9.8 - Critical
- July 02, 2020
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6.
authentification
In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item
CVE-2020-11074
5.4 - Medium
- July 02, 2020
In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6.
XSS
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6
CVE-2020-15079
5.4 - Medium
- July 02, 2020
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6
In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory
CVE-2020-15081
5.3 - Medium
- July 02, 2020
In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in the upload directory.
Information Disclosure
In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables
CVE-2020-15082
8.8 - High
- July 02, 2020
In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6
In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS
CVE-2020-15083
6.1 - Medium
- July 02, 2020
In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. The problem is fixed in 1.7.6.6
XSS
The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote attackers to obtain sensitive information, such as a service's owner password
CVE-2020-12120
7.5 - High
- April 27, 2020
The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote attackers to obtain sensitive information, such as a service's owner password that can be used to modify orders via SOAP. Attackers can also retrieve information about orders or buyers.
Information Disclosure
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters
CVE-2020-5272
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters. The problem is patched in 1.7.6.5
XSS
In PrestaShop between versions 1.7.1.0 and 1.7.6.5
CVE-2020-5276
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflected XSS on AdminCarts page with `cartBox` parameter The problem is fixed in 1.7.6.5
XSS
In PrestaShop between versions 1.5.4.0 and 1.7.6.5
CVE-2020-5278
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5
XSS
In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers
CVE-2020-5279
6.5 - Medium
- April 20, 2020
In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5
AuthZ
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter
CVE-2020-5285
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5
XSS
In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file
CVE-2020-5286
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in 1.7.6.5
XSS
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search
CVE-2020-5287
6.5 - Medium
- April 20, 2020
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5.
AuthZ
"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page
CVE-2020-5288
6.5 - Medium
- April 20, 2020
"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is fixed in 1.7.6.5.
AuthZ
In PrestaShop between versions 1.7.0.0 and 1.7.6.5
CVE-2020-5293
6.5 - Medium
- April 20, 2020
In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5.
AuthZ
In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_
CVE-2020-5271
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_from` and `date_to` parameters in the dashboard page This problem is fixed in 1.7.6.5
XSS
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter
CVE-2020-5270
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5
Open Redirect
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter
CVE-2020-5269
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5
XSS
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page
CVE-2020-5265
6.1 - Medium
- April 20, 2020
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5.
XSS
In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page
CVE-2020-5264
6.1 - Medium
- April 20, 2020
In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5.
XSS
PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflected XSS with social networks fields The problem is fixed in 2.1.0
CVE-2020-5294
5.4 - Medium
- April 16, 2020
PrestaShop module ps_facetedsearch versions before 2.1.0 has a reflected XSS with social networks fields The problem is fixed in 2.1.0
XSS
In the ps_link module for PrestaShop before version 3.1.0
CVE-2020-5266
5.4 - Medium
- April 16, 2020
In the ps_link module for PrestaShop before version 3.1.0, there is a stored XSS when you create or edit a link list block with the title field. The problem is fixed in 3.1.0
XSS
In PrestaShop module ps_linklist versions before 3.1.0, there is a stored XSS when using custom URLs
CVE-2020-5273
5.4 - Medium
- April 16, 2020
In PrestaShop module ps_linklist versions before 3.1.0, there is a stored XSS when using custom URLs. The problem is fixed in version 3.1.0
XSS
PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter
CVE-2020-5277
5.4 - Medium
- March 25, 2020
PrestaShop module ps_facetedsearch versions before 3.5.0 has a reflected XSS with `url_name` parameter. The problem is fixed in 3.5.0
XSS
In PrestaShop before version 1.7.6.4, when a customer edits their address, they
CVE-2020-5250
6.3 - Medium
- March 05, 2020
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.
Files or Directories Accessible to External Parties
In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link
CVE-2020-6632
6.1 - Medium
- January 09, 2020
In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js.
XSS
In PrestaShop before 1.7.6.0 RC2
CVE-2019-13461
7.5 - High
- July 09, 2019
In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. An attacker could leak personal customer information. This is PrestaShop bug #14444.
Insecure Direct Object Reference / IDOR
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS
CVE-2019-11876
6.1 - Medium
- May 24, 2019
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.
XSS
In the orders section of PrestaShop before 1.7.2.5
CVE-2018-20717
8.8 - High
- January 15, 2019
In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object chain in order to gain Remote Code Execution. This occurs because protection against serialized objects looks for a 0: followed by an integer, but does not consider 0:+ followed by an integer.
Code Injection
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7)
CVE-2018-19355
9.8 - Critical
- November 19, 2018
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).
Unrestricted File Upload
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4
CVE-2018-19125
7.5 - High
- November 09, 2018
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4
CVE-2018-19126
9.8 - Critical
- November 09, 2018
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
Unrestricted File Upload
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php
CVE-2018-13784
9.1 - Critical
- July 09, 2018
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5
CVE-2018-8824
9.8 - Critical
- May 10, 2018
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.
SQL Injection
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5
CVE-2018-8823
9.8 - Critical
- March 28, 2018
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter.
Code Injection
In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found
CVE-2018-7491
7.5 - High
- February 26, 2018
In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values.
Clickjacking
PrestaShop 1.7.2.4 allows user enumeration
CVE-2018-5682
5.3 - Medium
- January 13, 2018
PrestaShop 1.7.2.4 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message.
Information Disclosure