Prestashop: >> Prestashop Security Vulnerabilities
In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5
CVSS Score
4.1
EPSS Score
0.002
Published
2020-04-20
In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5
CVSS Score
4.1
EPSS Score
0.002
Published
2020-04-20
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.
CVSS Score
7.6
EPSS Score
0.006
Published
2020-03-05
PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module
CVSS Score
9.8
EPSS Score
0.003
Published
2020-02-18
PrestaShop before 1.4.11 allows Logistician, translators and other low level profiles/accounts to inject a persistent XSS vector on TinyMCE.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-02-14
PrestaShop before 1.4.11 allows logout CSRF.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-02-14
Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.
CVSS Score
6.1
EPSS Score
0.009
Published
2020-02-11
PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory.
CVSS Score
8.8
EPSS Score
0.032
Published
2020-01-23
In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a QuickAccess link. This is related to AdminQuickAccessesController.php, themes/default/template/header.tpl, and themes/new-theme/js/header.js.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-01-09
reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file.
CVSS Score
9.8
EPSS Score
0.056
Published
2019-12-05