Prestashop: Security Vulnerabilities
SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller.
CVSS Score
9.8
EPSS Score
0.106
Published
2023-06-02
Prestashop possearchproducts 1.7 is vulnerable to SQL Injection via PosSearch::find().
CVSS Score
9.8
EPSS Score
0.502
Published
2023-05-12
Prestashop posstaticfooter <= 1.0.0 is vulnerable to SQL Injection via posstaticfooter::getPosCurrentHook().
CVSS Score
9.8
EPSS Score
0.039
Published
2023-05-10
PrestaShop scexportcustomers <= 3.6.1 is vulnerable to Incorrect Access Control. Due to a lack of permissions' control, a guest can access exports from the module which can lead to leak of personal information from customer table.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-05-04
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue.
CVSS Score
8.5
EPSS Score
0.005
Published
2023-04-25
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.
CVSS Score
9.9
EPSS Score
0.062
Published
2023-04-25
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9
CVSS Score
7.7
EPSS Score
0.004
Published
2023-04-25
The eo_tags package before 1.3.0 for PrestaShop allows SQL injection via an HTTP User-Agent or Referer header.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-03-21
The eo_tags package before 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie.
CVSS Score
9.8
EPSS Score
0.001
Published
2023-03-21
PrestaShop ws_productreviews < 3.6.2 is vulnerable to SQL Injection.
CVSS Score
8.8
EPSS Score
0.001
Published
2023-03-14