Vulnerabilites related to PrestaShop - PrestaShop
CVE-2020-5286 (GCVE-0-2020-5286)
Vulnerability from cvelistv5
Published
2020-04-20 16:55
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.4.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-98j8-hvjv-x47j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/fc0625fb0a9aab1835515f1bea52e8e063384da7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.4.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:55:33",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-98j8-hvjv-x47j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/fc0625fb0a9aab1835515f1bea52e8e063384da7"
}
],
"source": {
"advisory": "GHSA-98j8-hvjv-x47j",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS related in import page in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5286",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS related in import page in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.4.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.7.4.0 and 1.7.6.5, there is a reflected XSS when uploading a wrong file. The problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-98j8-hvjv-x47j",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-98j8-hvjv-x47j"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/fc0625fb0a9aab1835515f1bea52e8e063384da7",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/fc0625fb0a9aab1835515f1bea52e8e063384da7"
}
]
},
"source": {
"advisory": "GHSA-98j8-hvjv-x47j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5286",
"datePublished": "2020-04-20T16:55:33",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39525 (GCVE-0-2023-39525)
Vulnerability from cvelistv5
Published
2023-08-07 20:23
Modified
2024-10-03 16:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.146Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m9r4-3fg7-pqm2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m9r4-3fg7-pqm2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c7c9a5110421bb2856f4d312ecce192d079b5ec7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c7c9a5110421bb2856f4d312ecce192d079b5ec7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39525",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:19:54.665845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:20:05.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T20:23:53.884Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m9r4-3fg7-pqm2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m9r4-3fg7-pqm2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c7c9a5110421bb2856f4d312ecce192d079b5ec7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c7c9a5110421bb2856f4d312ecce192d079b5ec7"
}
],
"source": {
"advisory": "GHSA-m9r4-3fg7-pqm2",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39525",
"datePublished": "2023-08-07T20:23:53.884Z",
"dateReserved": "2023-08-03T16:27:36.262Z",
"dateUpdated": "2024-10-03T16:20:05.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15080 (GCVE-0-2020-15080)
Vulnerability from cvelistv5
Published
2020-07-02 16:45
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - {"":"Exposure of Sensitive Information to an Unauthorized Actor"}
Summary
In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.4.0, <1.7.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.4.0, \u003c1.7.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T16:45:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"
}
],
"source": {
"advisory": "GHSA-492w-2pp5-xhvg",
"discovery": "UNKNOWN"
},
"title": "Information disclosure in release archive in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15080",
"STATE": "PUBLIC",
"TITLE": "Information disclosure in release archive in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.4.0, \u003c1.7.6.6"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure `composer.json` and `docker-compose.yml` are not accessible on your server."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-200\":\"Exposure of Sensitive Information to an Unauthorized Actor\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-492w-2pp5-xhvg"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/35ef7e9d892287c302df1fc5aa05ecfc6f15bc76"
}
]
},
"source": {
"advisory": "GHSA-492w-2pp5-xhvg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15080",
"datePublished": "2020-07-02T16:45:19",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5287 (GCVE-0-2020-5287)
Vulnerability from cvelistv5
Published
2020-04-20 16:55
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: > 1.5.5.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.091Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-r6rp-6gv6-r9hq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/27e49d89808f1d76eb909a595f344a6739bc0b52"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e 1.5.5.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:55:27",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-r6rp-6gv6-r9hq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/27e49d89808f1d76eb909a595f344a6739bc0b52"
}
],
"source": {
"advisory": "GHSA-r6rp-6gv6-r9hq",
"discovery": "UNKNOWN"
},
"title": "Improper access control on customers search in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5287",
"STATE": "PUBLIC",
"TITLE": "Improper access control on customers search in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e 1.5.5.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is improper access control on customers search. The problem is fixed in 1.7.6.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-r6rp-6gv6-r9hq",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-r6rp-6gv6-r9hq"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/27e49d89808f1d76eb909a595f344a6739bc0b52",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/27e49d89808f1d76eb909a595f344a6739bc0b52"
}
]
},
"source": {
"advisory": "GHSA-r6rp-6gv6-r9hq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5287",
"datePublished": "2020-04-20T16:55:27",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5276 (GCVE-0-2020-5276)
Vulnerability from cvelistv5
Published
2020-04-20 16:50
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflected XSS on AdminCarts page with `cartBox` parameter The problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.1.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.066Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-q6pr-42v5-v97q"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/6838d21850e7227fb8afbf568cb0386b3dedd3ef"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.1.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflected XSS on AdminCarts page with `cartBox` parameter The problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:50:29",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-q6pr-42v5-v97q"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/6838d21850e7227fb8afbf568cb0386b3dedd3ef"
}
],
"source": {
"advisory": "GHSA-q6pr-42v5-v97q",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS on AdminCarts page of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5276",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS on AdminCarts page of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.1.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.7.1.0 and 1.7.6.5, there is a reflected XSS on AdminCarts page with `cartBox` parameter The problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-q6pr-42v5-v97q",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-q6pr-42v5-v97q"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/6838d21850e7227fb8afbf568cb0386b3dedd3ef",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/6838d21850e7227fb8afbf568cb0386b3dedd3ef"
}
]
},
"source": {
"advisory": "GHSA-q6pr-42v5-v97q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5276",
"datePublished": "2020-04-20T16:50:29",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5272 (GCVE-0-2020-5272)
Vulnerability from cvelistv5
Published
2020-04-20 16:50
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters. The problem is patched in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.5.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rpg3-f23r-jmqv"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d3bf027fa37e8105fed3c809d636ebe787e43f46"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.5.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters. The problem is patched in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:50:34",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rpg3-f23r-jmqv"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d3bf027fa37e8105fed3c809d636ebe787e43f46"
}
],
"source": {
"advisory": "GHSA-rpg3-f23r-jmqv",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS on Search page of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5272",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS on Search page of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.5.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.5.5.0 and 1.7.6.5, there is a reflected XSS on Search page with `alias` and `search` parameters. The problem is patched in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rpg3-f23r-jmqv",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rpg3-f23r-jmqv"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/d3bf027fa37e8105fed3c809d636ebe787e43f46",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/d3bf027fa37e8105fed3c809d636ebe787e43f46"
}
]
},
"source": {
"advisory": "GHSA-rpg3-f23r-jmqv",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5272",
"datePublished": "2020-04-20T16:50:34",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21398 (GCVE-0-2021-21398)
Vulnerability from cvelistv5
Published
2021-03-30 15:25
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fixed in 1.7.7.3
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.7.0, < 1.7.7.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.051Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fhhq-4x46-qx77"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/aaaba8177f3b3c510461b5e3249e30e60f900205"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.7.0, \u003c 1.7.7.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fixed in 1.7.7.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-30T15:25:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fhhq-4x46-qx77"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/aaaba8177f3b3c510461b5e3249e30e60f900205"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.3"
}
],
"source": {
"advisory": "GHSA-fhhq-4x46-qx77",
"discovery": "UNKNOWN"
},
"title": "Possible XSS injection through DataColumn Grid class",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21398",
"STATE": "PUBLIC",
"TITLE": "Possible XSS injection through DataColumn Grid class"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.7.0, \u003c 1.7.7.3"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.7.3, an attacker can inject HTML when the Grid Column Type DataColumn is badly used. The problem is fixed in 1.7.7.3"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fhhq-4x46-qx77",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fhhq-4x46-qx77"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/aaaba8177f3b3c510461b5e3249e30e60f900205",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/aaaba8177f3b3c510461b5e3249e30e60f900205"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.3",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.3"
}
]
},
"source": {
"advisory": "GHSA-fhhq-4x46-qx77",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21398",
"datePublished": "2021-03-30T15:25:13",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43789 (GCVE-0-2021-43789)
Vulnerability from cvelistv5
Published
2021-12-07 16:45
Modified
2024-08-04 04:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.5.0, <= 1.7.8.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.643Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6xxj-gcjq-wgf4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/issues/26623"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.5.0, \u003c= 1.7.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-07T16:45:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6xxj-gcjq-wgf4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/issues/26623"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.2"
}
],
"source": {
"advisory": "GHSA-6xxj-gcjq-wgf4",
"discovery": "UNKNOWN"
},
"title": "Blind SQLi using Search filters in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43789",
"STATE": "PUBLIC",
"TITLE": "Blind SQLi using Search filters in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.5.0, \u003c= 1.7.8.1"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6xxj-gcjq-wgf4",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6xxj-gcjq-wgf4"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/issues/26623",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/issues/26623"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.2",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.2"
}
]
},
"source": {
"advisory": "GHSA-6xxj-gcjq-wgf4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43789",
"datePublished": "2021-12-07T16:45:12",
"dateReserved": "2021-11-16T00:00:00",
"dateUpdated": "2024-08-04T04:03:08.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34716 (GCVE-0-2024-34716)
Vulnerability from cvelistv5
Published
2024-05-14 15:45
Modified
2024-08-02 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 8.1.0, < 8.1.6 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.6",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T20:41:38.434859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T20:43:10.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator\u0027s right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T15:45:45.345Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"source": {
"advisory": "GHSA-45vm-3j38-7p78",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to XSS via customer contact form in FO, through file upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34716",
"datePublished": "2024-05-14T15:45:45.345Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15083 (GCVE-0-2020-15083)
Vulnerability from cvelistv5
Published
2020-07-02 16:50
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - {"":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Summary
In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. The problem is fixed in 1.7.6.6
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.0.0, < 1.7.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-qgh4-95j7-p3vj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/bac749bf75a4e0d6312a70b37eb5b0a556f08fbd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0.0, \u003c 1.7.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. The problem is fixed in 1.7.6.6"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T16:50:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-qgh4-95j7-p3vj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/bac749bf75a4e0d6312a70b37eb5b0a556f08fbd"
}
],
"source": {
"advisory": "GHSA-qgh4-95j7-p3vj",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS when uploading an image in the Product page in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15083",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS when uploading an image in the Product page in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.0.0, \u003c 1.7.6.6"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a target sends a corrupted file, it leads to a reflected XSS. The problem is fixed in 1.7.6.6"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-qgh4-95j7-p3vj",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-qgh4-95j7-p3vj"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/bac749bf75a4e0d6312a70b37eb5b0a556f08fbd",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/bac749bf75a4e0d6312a70b37eb5b0a556f08fbd"
}
]
},
"source": {
"advisory": "GHSA-qgh4-95j7-p3vj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15083",
"datePublished": "2020-07-02T16:50:12",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39526 (GCVE-0-2023-39526)
Vulnerability from cvelistv5
Published
2023-08-07 20:28
Modified
2024-10-10 19:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 1.7.8.10 Version: >= 8.0.0, < 8.0.5 Version: = 8.1.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gf46-prm4-56pc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gf46-prm4-56pc"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/817847e2347844a9b6add017581f1932bcd28c09",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/817847e2347844a9b6add017581f1932bcd28c09"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:05:56.644433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:06:10.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.8.10"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.5"
},
{
"status": "affected",
"version": "= 8.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T20:28:59.051Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gf46-prm4-56pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gf46-prm4-56pc"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/817847e2347844a9b6add017581f1932bcd28c09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/817847e2347844a9b6add017581f1932bcd28c09"
}
],
"source": {
"advisory": "GHSA-gf46-prm4-56pc",
"discovery": "UNKNOWN"
},
"title": "PrestaShopSQL manager vulnerability (potential RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39526",
"datePublished": "2023-08-07T20:28:59.051Z",
"dateReserved": "2023-08-03T16:27:36.262Z",
"dateUpdated": "2024-10-10T19:06:10.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34717 (GCVE-0-2024-34717)
Vulnerability from cvelistv5
Published
2024-05-14 15:47
Modified
2024-08-02 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: = 8.1.5 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.6",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T13:22:48.091893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:41:41.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "= 8.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T15:47:27.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"source": {
"advisory": "GHSA-7pjr-2rgh-fc5g",
"discovery": "UNKNOWN"
},
"title": "Anonymous PrestaShop customer can download other customers\u0027 invoices"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34717",
"datePublished": "2024-05-14T15:47:27.265Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46158 (GCVE-0-2022-46158)
Vulnerability from cvelistv5
Published
2022-12-08 21:50
Modified
2025-04-23 16:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload directory without appropriate permissions. This issue has been addressed and users are advised to upgrade to version 1.7.8.8. There are no known workarounds for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 1.7.8.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-9qgp-9wwc-v29r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-9qgp-9wwc-v29r"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/8684d429fb7c3bb51efb098e8b92a1fd2958f8cf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/8684d429fb7c3bb51efb098e8b92a1fd2958f8cf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:57.898181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:30:45.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.8.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce solution. Versions prior to 1.7.8.8 did not properly restrict host filesystem access for users. Users may have been able to view the contents of the upload directory without appropriate permissions. This issue has been addressed and users are advised to upgrade to version 1.7.8.8. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-08T21:50:44.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-9qgp-9wwc-v29r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-9qgp-9wwc-v29r"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/8684d429fb7c3bb51efb098e8b92a1fd2958f8cf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/8684d429fb7c3bb51efb098e8b92a1fd2958f8cf"
}
],
"source": {
"advisory": "GHSA-9qgp-9wwc-v29r",
"discovery": "UNKNOWN"
},
"title": "Potential Information exposure in the upload directory in PrestaShop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-46158",
"datePublished": "2022-12-08T21:50:44.155Z",
"dateReserved": "2022-11-28T17:27:19.997Z",
"dateUpdated": "2025-04-23T16:30:45.764Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5250 (GCVE-0-2020-5250)
Vulnerability from cvelistv5
Published
2020-03-05 17:00
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 1.7.6.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mhfc-6rhg-fxp3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/a4a609b5064661f0b47ab5bc538e1a9cd3dd1069"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else\u0027s address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-05T17:00:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mhfc-6rhg-fxp3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/a4a609b5064661f0b47ab5bc538e1a9cd3dd1069"
}
],
"source": {
"advisory": "GHSA-mhfc-6rhg-fxp3",
"discovery": "UNKNOWN"
},
"title": "Possible information disclosure in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5250",
"STATE": "PUBLIC",
"TITLE": "Possible information disclosure in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003c 1.7.6.4"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else\u0027s address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mhfc-6rhg-fxp3",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mhfc-6rhg-fxp3"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/a4a609b5064661f0b47ab5bc538e1a9cd3dd1069",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/a4a609b5064661f0b47ab5bc538e1a9cd3dd1069"
}
]
},
"source": {
"advisory": "GHSA-mhfc-6rhg-fxp3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5250",
"datePublished": "2020-03-05T17:00:18",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15079 (GCVE-0-2020-15079)
Vulnerability from cvelistv5
Published
2020-07-02 16:45
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - {"":"Improper Access Control"}
Summary
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.0.0, < 1.7.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.404Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xp3x-3h8q-c386"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/8833d9504cc5d69a2a6d10197f56f0c11443cbfa"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0.0, \u003c 1.7.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "{\"CWE-284\":\"Improper Access Control\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T16:45:24",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xp3x-3h8q-c386"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/8833d9504cc5d69a2a6d10197f56f0c11443cbfa"
}
],
"source": {
"advisory": "GHSA-xp3x-3h8q-c386",
"discovery": "UNKNOWN"
},
"title": "Improper access control in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15079",
"STATE": "PUBLIC",
"TITLE": "Improper access control in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.0.0, \u003c 1.7.6.6"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there is improper access control in Carrier page, Module Manager and Module Positions. The problem is fixed in version 1.7.6.6"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-284\":\"Improper Access Control\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xp3x-3h8q-c386",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xp3x-3h8q-c386"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/8833d9504cc5d69a2a6d10197f56f0c11443cbfa",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/8833d9504cc5d69a2a6d10197f56f0c11443cbfa"
}
]
},
"source": {
"advisory": "GHSA-xp3x-3h8q-c386",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15079",
"datePublished": "2020-07-02T16:45:24",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21302 (GCVE-0-2021-21302)
Vulnerability from cvelistv5
Published
2021-02-26 19:45
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - OS Command Injection
Summary
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.0, < 1.7.7.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rw4-2p99-cmx9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/782b1368aa4e94dafe28f57485bffbd8893fbb1e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0, \u003c 1.7.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-26T19:45:16",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rw4-2p99-cmx9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/782b1368aa4e94dafe28f57485bffbd8893fbb1e"
}
],
"source": {
"advisory": "GHSA-2rw4-2p99-cmx9",
"discovery": "UNKNOWN"
},
"title": "CSV Injection via csv export",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21302",
"STATE": "PUBLIC",
"TITLE": "CSV Injection via csv export"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.0, \u003c 1.7.7.2"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78 OS Command Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rw4-2p99-cmx9",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rw4-2p99-cmx9"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/782b1368aa4e94dafe28f57485bffbd8893fbb1e",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/782b1368aa4e94dafe28f57485bffbd8893fbb1e"
}
]
},
"source": {
"advisory": "GHSA-2rw4-2p99-cmx9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21302",
"datePublished": "2021-02-26T19:45:16",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31181 (GCVE-0-2022-31181)
Vulnerability from cvelistv5
Published
2022-08-01 19:30
Modified
2025-04-23 17:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.6.0.10, < 1.7.8.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:48:50.998040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:56:10.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.0.10, \u003c 1.7.8.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP\u0027s Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T19:30:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7"
}
],
"source": {
"advisory": "GHSA-hrgx-p36p-89q4",
"discovery": "UNKNOWN"
},
"title": "Remote code execution in prestashop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31181",
"STATE": "PUBLIC",
"TITLE": "Remote code execution in prestashop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.6.0.10, \u003c 1.7.8.7"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP\u0027s Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hrgx-p36p-89q4"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/b6d96e7c2a4e35a44e96ffbcdfd34439b56af804"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.7"
}
]
},
"source": {
"advisory": "GHSA-hrgx-p36p-89q4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31181",
"datePublished": "2022-08-01T19:30:16.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:56:10.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25170 (GCVE-0-2023-25170)
Vulnerability from cvelistv5
Published
2023-03-13 16:55
Modified
2025-02-25 14:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.0.0, < 8.0.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:35.596Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3g43-x7qr-96ph",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3g43-x7qr-96ph"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25170",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:29:46.050816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:58:36.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0.0, \u003c 8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T16:55:24.523Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3g43-x7qr-96ph",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3g43-x7qr-96ph"
}
],
"source": {
"advisory": "GHSA-3g43-x7qr-96ph",
"discovery": "UNKNOWN"
},
"title": "PrestaShop has possible CSRF token fixation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25170",
"datePublished": "2023-03-13T16:55:24.523Z",
"dateReserved": "2023-02-03T16:59:18.246Z",
"dateUpdated": "2025-02-25T14:58:36.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5293 (GCVE-0-2020-5293)
Vulnerability from cvelistv5
Published
2020-04-20 16:55
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.0.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-cvjj-grfv-f56w"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/f9f442c87755908e23a6bcba8c443cdea1d78a7f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:55:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-cvjj-grfv-f56w"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/f9f442c87755908e23a6bcba8c443cdea1d78a7f"
}
],
"source": {
"advisory": "GHSA-cvjj-grfv-f56w",
"discovery": "UNKNOWN"
},
"title": "Improper access control on product page with combinations, attachments and specific prices in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5293",
"STATE": "PUBLIC",
"TITLE": "Improper access control on product page with combinations, attachments and specific prices in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.0.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there are improper access controls on product page with combinations, attachments and specific prices. The problem is fixed in 1.7.6.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-cvjj-grfv-f56w",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-cvjj-grfv-f56w"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/f9f442c87755908e23a6bcba8c443cdea1d78a7f",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/f9f442c87755908e23a6bcba8c443cdea1d78a7f"
}
]
},
"source": {
"advisory": "GHSA-cvjj-grfv-f56w",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5293",
"datePublished": "2020-04-20T16:55:17",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15161 (GCVE-0-2020-15161)
Vulnerability from cvelistv5
Published
2020-09-24 22:10
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: > 1.6.0.4, < 1.7.6.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e 1.6.0.4, \u003c 1.7.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T22:10:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
}
],
"source": {
"advisory": "GHSA-5cp2-r794-w37w",
"discovery": "UNKNOWN"
},
"title": "Potential XSS in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15161",
"STATE": "PUBLIC",
"TITLE": "Potential XSS in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e 1.6.0.4, \u003c 1.7.6.8"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
}
]
},
"source": {
"advisory": "GHSA-5cp2-r794-w37w",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15161",
"datePublished": "2020-09-24T22:10:13",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39524 (GCVE-0-2023-39524)
Vulnerability from cvelistv5
Published
2023-08-07 19:48
Modified
2024-10-03 16:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-75p5-jwx4-qw9h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-75p5-jwx4-qw9h"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/2047d4c053043102bc46a37d383b392704bf14d7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/2047d4c053043102bc46a37d383b392704bf14d7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:20:18.446579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:20:27.279Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO\u0027s product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T19:48:21.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-75p5-jwx4-qw9h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-75p5-jwx4-qw9h"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/2047d4c053043102bc46a37d383b392704bf14d7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/2047d4c053043102bc46a37d383b392704bf14d7"
}
],
"source": {
"advisory": "GHSA-75p5-jwx4-qw9h",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to boolean SQL injection in search product in BO"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39524",
"datePublished": "2023-08-07T19:48:21.994Z",
"dateReserved": "2023-08-03T16:27:36.262Z",
"dateUpdated": "2024-10-03T16:20:27.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39529 (GCVE-0-2023-39529)
Vulnerability from cvelistv5
Published
2023-08-07 20:37
Modified
2024-10-03 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rf5-3fw8-qm47",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rf5-3fw8-qm47"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/b08c647305dc1e9e6a2445b724d13a9733b6ed82",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/b08c647305dc1e9e6a2445b724d13a9733b6ed82"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39529",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:01:08.643622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:10:35.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T20:37:15.946Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rf5-3fw8-qm47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-2rf5-3fw8-qm47"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/b08c647305dc1e9e6a2445b724d13a9733b6ed82",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/b08c647305dc1e9e6a2445b724d13a9733b6ed82"
}
],
"source": {
"advisory": "GHSA-2rf5-3fw8-qm47",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to file deletion via attachment API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39529",
"datePublished": "2023-08-07T20:37:15.946Z",
"dateReserved": "2023-08-03T16:27:36.263Z",
"dateUpdated": "2024-10-03T16:10:35.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30839 (GCVE-0-2023-30839)
Vulnerability from cvelistv5
Published
2023-04-25 18:41
Modified
2025-02-03 18:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 8.0.0, < 8.0.4 Version: < 1.7.8.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.458Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T18:07:54.375956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T18:08:09.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.4"
},
{
"status": "affected",
"version": "\u003c 1.7.8.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T18:41:38.777Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-p379-cxqh-q822"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/0f2a9b7fdd42d1dd3b21d4fad586a849642f3c30"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d1d27dc371599713c912b71bc2a455cacd7f2149"
}
],
"source": {
"advisory": "GHSA-p379-cxqh-q822",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to SQL filter bypass leading to arbitrary write requests using \"SQL Manager\""
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30839",
"datePublished": "2023-04-25T18:41:38.777Z",
"dateReserved": "2023-04-18T16:13:15.880Z",
"dateUpdated": "2025-02-03T18:08:09.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43663 (GCVE-0-2023-43663)
Vulnerability from cvelistv5
Published
2023-09-28 18:13
Modified
2024-09-20 19:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6jmf-2pfc-q9m7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6jmf-2pfc-q9m7"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ce1f67083537194e974caf86c57e547a0aaa46cd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ce1f67083537194e974caf86c57e547a0aaa46cd"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43663",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:48:09.994728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T19:32:29.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T18:13:49.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6jmf-2pfc-q9m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-6jmf-2pfc-q9m7"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ce1f67083537194e974caf86c57e547a0aaa46cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ce1f67083537194e974caf86c57e547a0aaa46cd"
}
],
"source": {
"advisory": "GHSA-6jmf-2pfc-q9m7",
"discovery": "UNKNOWN"
},
"title": "Improper Privilege Management in Prestashop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43663",
"datePublished": "2023-09-28T18:13:49.216Z",
"dateReserved": "2023-09-20T15:35:38.148Z",
"dateUpdated": "2024-09-20T19:32:29.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21686 (GCVE-0-2022-21686)
Vulnerability from cvelistv5
Published
2022-01-26 20:10
Modified
2025-04-23 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.0.0, < 1.7.8.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:46:39.542Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21686",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:49.163569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:09:07.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0.0, \u003c 1.7.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-26T20:10:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3"
}
],
"source": {
"advisory": "GHSA-mrq4-7ch7-2465",
"discovery": "UNKNOWN"
},
"title": "Server Side Twig Template Injection in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-21686",
"STATE": "PUBLIC",
"TITLE": "Server Side Twig Template Injection in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.0.0, \u003c 1.7.8.3"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrq4-7ch7-2465"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/d02b469ec365822e6a9f017e57f588966248bf21"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.8.3"
}
]
},
"source": {
"advisory": "GHSA-mrq4-7ch7-2465",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21686",
"datePublished": "2022-01-26T20:10:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:09:07.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39528 (GCVE-0-2023-39528)
Vulnerability from cvelistv5
Published
2023-08-07 20:35
Modified
2024-10-03 16:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hpf4-v7v2-95p2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hpf4-v7v2-95p2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/11de3a84322fa4ecd0995ac40d575db61804724c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/11de3a84322fa4ecd0995ac40d575db61804724c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:01:14.621866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:13:39.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T20:35:07.663Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hpf4-v7v2-95p2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-hpf4-v7v2-95p2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/11de3a84322fa4ecd0995ac40d575db61804724c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/11de3a84322fa4ecd0995ac40d575db61804724c"
}
],
"source": {
"advisory": "GHSA-hpf4-v7v2-95p2",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to file reading through path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39528",
"datePublished": "2023-08-07T20:35:07.663Z",
"dateReserved": "2023-08-03T16:27:36.263Z",
"dateUpdated": "2024-10-03T16:13:39.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5271 (GCVE-0-2020-5271)
Vulnerability from cvelistv5
Published
2020-04-20 16:50
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_from` and `date_to` parameters in the dashboard page This problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.6.0.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m2x6-c2c6-pjrx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c464518d2aaf195007a1eb055fce64a9a027e00a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.0.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_from` and `date_to` parameters in the dashboard page This problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:50:39",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m2x6-c2c6-pjrx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c464518d2aaf195007a1eb055fce64a9a027e00a"
}
],
"source": {
"advisory": "GHSA-m2x6-c2c6-pjrx",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS with dashboard calendar of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5271",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS with dashboard calendar of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.6.0.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with `date_from` and `date_to` parameters in the dashboard page This problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m2x6-c2c6-pjrx",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-m2x6-c2c6-pjrx"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c464518d2aaf195007a1eb055fce64a9a027e00a",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/c464518d2aaf195007a1eb055fce64a9a027e00a"
}
]
},
"source": {
"advisory": "GHSA-m2x6-c2c6-pjrx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5271",
"datePublished": "2020-04-20T16:50:39",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11074 (GCVE-0-2020-11074)
Vulnerability from cvelistv5
Published
2020-07-02 16:45
Modified
2024-08-04 11:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.3.0, < 1.7.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4pg-q2cv-f7x4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d122b82bcc2ad8a7b05cfffc03df6c2cae08efe8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.3.0, \u003c 1.7.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-08T15:17:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4pg-q2cv-f7x4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d122b82bcc2ad8a7b05cfffc03df6c2cae08efe8"
}
],
"source": {
"advisory": "GHSA-v4pg-q2cv-f7x4",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11074",
"STATE": "PUBLIC",
"TITLE": "Stored XSS in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.3.0, \u003c 1.7.6.6"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there is a stored XSS when using the name of a quick access item. The problem is fixed in 1.7.6.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4pg-q2cv-f7x4",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4pg-q2cv-f7x4"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/d122b82bcc2ad8a7b05cfffc03df6c2cae08efe8",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/d122b82bcc2ad8a7b05cfffc03df6c2cae08efe8"
}
]
},
"source": {
"advisory": "GHSA-v4pg-q2cv-f7x4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11074",
"datePublished": "2020-07-02T16:45:29",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30838 (GCVE-0-2023-30838)
Vulnerability from cvelistv5
Published
2023-04-25 18:22
Modified
2025-02-03 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 8.0.0, < 8.0.4 Version: < 1.7.8.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T19:34:44.162026Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T19:34:54.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.4"
},
{
"status": "affected",
"version": "\u003c 1.7.8.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T18:22:54.521Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fh7r-996q-gvcp"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/46408ae4b02f3b8b1bb6e9dc63af5bcd858abd9c"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/dc682192df0e4b0d656a8e645b29ca1b9dbe3693"
}
],
"source": {
"advisory": "GHSA-fh7r-996q-gvcp",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to possible XSS injection through Validate::isCleanHTML method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30838",
"datePublished": "2023-04-25T18:22:54.521Z",
"dateReserved": "2023-04-18T16:13:15.879Z",
"dateUpdated": "2025-02-03T19:34:54.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39527 (GCVE-0-2023-39527)
Vulnerability from cvelistv5
Published
2023-08-07 20:32
Modified
2024-10-03 16:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 1.7.8.10 Version: >= 8.0.0, < 8.0.5 Version: = 8.1.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xw2r-f8xv-c8xp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xw2r-f8xv-c8xp"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/afc14f8eaa058b3e6a20ac43e033ee2656fb88b4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/afc14f8eaa058b3e6a20ac43e033ee2656fb88b4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:01:22.952352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:15:18.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.8.10"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.5"
},
{
"status": "affected",
"version": "= 8.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T20:32:45.203Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xw2r-f8xv-c8xp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xw2r-f8xv-c8xp"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/afc14f8eaa058b3e6a20ac43e033ee2656fb88b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/afc14f8eaa058b3e6a20ac43e033ee2656fb88b4"
}
],
"source": {
"advisory": "GHSA-xw2r-f8xv-c8xp",
"discovery": "UNKNOWN"
},
"title": "PrestaShop XSS vulnerability through Validate::isCleanHTML method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39527",
"datePublished": "2023-08-07T20:32:45.203Z",
"dateReserved": "2023-08-03T16:27:36.263Z",
"dateUpdated": "2024-10-03T16:15:18.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5265 (GCVE-0-2020-5265)
Vulnerability from cvelistv5
Published
2020-04-20 16:40
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.6.1, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7fmr-5vcc-329j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/622ba66ffdbf48b399875003e00bc34d8a3ef712"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.6.1, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:40:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7fmr-5vcc-329j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/622ba66ffdbf48b399875003e00bc34d8a3ef712"
}
],
"source": {
"advisory": "GHSA-7fmr-5vcc-329j",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS on AdminAttributesGroups page of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5265",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS on AdminAttributesGroups page of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.6.1, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminAttributesGroups page. The problem is patched in 1.7.6.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7fmr-5vcc-329j",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7fmr-5vcc-329j"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/622ba66ffdbf48b399875003e00bc34d8a3ef712",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/622ba66ffdbf48b399875003e00bc34d8a3ef712"
}
]
},
"source": {
"advisory": "GHSA-7fmr-5vcc-329j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5265",
"datePublished": "2020-04-20T16:40:13",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5279 (GCVE-0-2020-5279)
Vulnerability from cvelistv5
Published
2020-04-20 16:50
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.0.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:50:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a"
}
],
"source": {
"advisory": "GHSA-74vp-ww64-w2gm",
"discovery": "UNKNOWN"
},
"title": "Improper Access Control for certain legacy controller in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5279",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control for certain legacy controller in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.0.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.5.0.0 and 1.7.6.5, there are improper access control since the the version 1.5.0.0 for legacy controllers. - admin-dev/index.php/configure/shop/customer-preferences/ - admin-dev/index.php/improve/international/translations/ - admin-dev/index.php/improve/international/geolocation/ - admin-dev/index.php/improve/international/localization - admin-dev/index.php/configure/advanced/performance - admin-dev/index.php/sell/orders/delivery-slips/ - admin-dev/index.php?controller=AdminStatuses The problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-74vp-ww64-w2gm"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/4444fb85761667a2206874a3112ccc77f657d76a"
}
]
},
"source": {
"advisory": "GHSA-74vp-ww64-w2gm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5279",
"datePublished": "2020-04-20T16:50:18",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15082 (GCVE-0-2020-15082)
Vulnerability from cvelistv5
Published
2020-07-02 16:50
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- https://cwe.mitre.org/data/definitions/15.html
Summary
In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.6.0.1, < 1.7.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mc98-xjm3-c4fm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/0f0d6238169a79d94f5ef28d24e60a9be8902f4b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.0.1, \u003c 1.7.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "https://cwe.mitre.org/data/definitions/15.html",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T16:50:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mc98-xjm3-c4fm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/0f0d6238169a79d94f5ef28d24e60a9be8902f4b"
}
],
"source": {
"advisory": "GHSA-mc98-xjm3-c4fm",
"discovery": "UNKNOWN"
},
"title": "External control of configuration setting in the dashboard in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15082",
"STATE": "PUBLIC",
"TITLE": "External control of configuration setting in the dashboard in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.6.0.1, \u003c 1.7.6.6"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. The problem is fixed in 1.7.6.6"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "https://cwe.mitre.org/data/definitions/15.html"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mc98-xjm3-c4fm",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mc98-xjm3-c4fm"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/0f0d6238169a79d94f5ef28d24e60a9be8902f4b",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/0f0d6238169a79d94f5ef28d24e60a9be8902f4b"
}
]
},
"source": {
"advisory": "GHSA-mc98-xjm3-c4fm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15082",
"datePublished": "2020-07-02T16:50:17",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5269 (GCVE-0-2020-5269)
Vulnerability from cvelistv5
Published
2020-04-20 16:45
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.6.1, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-87jh-7xpg-6v93"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/9efca621a0b74b82dafa91e6b955120036e31334"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.6.1, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:45:20",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-87jh-7xpg-6v93"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/9efca621a0b74b82dafa91e6b955120036e31334"
}
],
"source": {
"advisory": "GHSA-87jh-7xpg-6v93",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS on AdminFeatures page of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5269",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS on AdminFeatures page of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.6.1, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.7.6.1 and 1.7.6.5, there is a reflected XSS on AdminFeatures page by using the `id_feature` parameter. The problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-87jh-7xpg-6v93",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-87jh-7xpg-6v93"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/9efca621a0b74b82dafa91e6b955120036e31334",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/9efca621a0b74b82dafa91e6b955120036e31334"
}
]
},
"source": {
"advisory": "GHSA-87jh-7xpg-6v93",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5269",
"datePublished": "2020-04-20T16:45:20",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5288 (GCVE-0-2020-5288)
Vulnerability from cvelistv5
Published
2020-04-20 16:55
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is fixed in 1.7.6.5.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.0.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.110Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-4wxg-33h3-3w5r"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/fc1d796dda769efdbc4d9e02ea7a11e4167338d0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.0.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "\"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is fixed in 1.7.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:55:22",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-4wxg-33h3-3w5r"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/fc1d796dda769efdbc4d9e02ea7a11e4167338d0"
}
],
"source": {
"advisory": "GHSA-4wxg-33h3-3w5r",
"discovery": "UNKNOWN"
},
"title": "Improper access control on product attributes page in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5288",
"STATE": "PUBLIC",
"TITLE": "Improper access control on product attributes page in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.0.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "\"In PrestaShop between versions 1.7.0.0 and 1.7.6.5, there is improper access controls on product attributes page. The problem is fixed in 1.7.6.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-4wxg-33h3-3w5r",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-4wxg-33h3-3w5r"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/fc1d796dda769efdbc4d9e02ea7a11e4167338d0",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/fc1d796dda769efdbc4d9e02ea7a11e4167338d0"
}
]
},
"source": {
"advisory": "GHSA-4wxg-33h3-3w5r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5288",
"datePublished": "2020-04-20T16:55:22",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21308 (GCVE-0-2021-21308)
Vulnerability from cvelistv5
Published
2021-02-26 19:50
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.0, < 1.7.7.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.260Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-557h-hf3c-whcg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/2f673bd93e313f08c35e74decc105f40dc0b7dee"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0, \u003c 1.7.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-26T19:50:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-557h-hf3c-whcg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/2f673bd93e313f08c35e74decc105f40dc0b7dee"
}
],
"source": {
"advisory": "GHSA-557h-hf3c-whcg",
"discovery": "UNKNOWN"
},
"title": "Improper session management for soft logout",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21308",
"STATE": "PUBLIC",
"TITLE": "Improper session management for soft logout"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.0, \u003c 1.7.7.2"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.7.2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-557h-hf3c-whcg",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-557h-hf3c-whcg"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/2f673bd93e313f08c35e74decc105f40dc0b7dee",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/2f673bd93e313f08c35e74decc105f40dc0b7dee"
}
]
},
"source": {
"advisory": "GHSA-557h-hf3c-whcg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21308",
"datePublished": "2021-02-26T19:50:14",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39530 (GCVE-0-2023-39530)
Vulnerability from cvelistv5
Published
2023-08-07 20:51
Modified
2024-10-08 17:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:21.134Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4gr-v679-42p7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4gr-v679-42p7"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/6ce750b2367a7309b6bf50166f1873cb86ad57e9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/6ce750b2367a7309b6bf50166f1873cb86ad57e9"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39530",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T17:33:05.071464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T17:34:13.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-07T20:51:52.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4gr-v679-42p7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-v4gr-v679-42p7"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/6ce750b2367a7309b6bf50166f1873cb86ad57e9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/6ce750b2367a7309b6bf50166f1873cb86ad57e9"
}
],
"source": {
"advisory": "GHSA-v4gr-v679-42p7",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to file deletion via CustomerMessage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-39530",
"datePublished": "2023-08-07T20:51:52.155Z",
"dateReserved": "2023-08-03T16:27:36.263Z",
"dateUpdated": "2024-10-08T17:34:13.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15162 (GCVE-0-2020-15162)
Vulnerability from cvelistv5
Published
2020-09-24 22:15
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: > 1.5.0.0, < 1.7.6.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e 1.5.0.0, \u003c 1.7.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T22:15:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf"
}
],
"source": {
"advisory": "GHSA-rc8c-v7rq-q392",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15162",
"STATE": "PUBLIC",
"TITLE": "Stored XSS in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e 1.5.0.0, \u003c 1.7.6.8"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf"
}
]
},
"source": {
"advisory": "GHSA-rc8c-v7rq-q392",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15162",
"datePublished": "2020-09-24T22:15:14",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21627 (GCVE-0-2024-21627)
Vulnerability from cvelistv5
Published
2024-01-02 21:03
Modified
2025-06-03 14:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 8.0.0, < 8.1.3 Version: < 1.7.8.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:48:20.023420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:45:21.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.1.3"
},
{
"status": "affected",
"version": "\u003c 1.7.8.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T21:03:17.816Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883"
}
],
"source": {
"advisory": "GHSA-xgpm-q3mq-46rq",
"discovery": "UNKNOWN"
},
"title": "Some attribute not escaped in Validate::isCleanHTML method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21627",
"datePublished": "2024-01-02T21:03:17.816Z",
"dateReserved": "2023-12-29T03:00:44.954Z",
"dateUpdated": "2025-06-03T14:45:21.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26224 (GCVE-0-2020-26224)
Vulnerability from cvelistv5
Published
2020-11-16 21:25
Modified
2024-08-04 15:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.4.10.0 < 1.7.6.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:49:07.168Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-frf2-c9q3-qg9m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.10.0 \u003c 1.7.6.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T21:25:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-frf2-c9q3-qg9m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909"
}
],
"source": {
"advisory": "GHSA-frf2-c9q3-qg9m",
"discovery": "UNKNOWN"
},
"title": "Improper Access Control in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26224",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.4.10.0 \u003c 1.7.6.9"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. The problem is fixed in 1.7.6.9."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-frf2-c9q3-qg9m",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-frf2-c9q3-qg9m"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/709d9afab7bdba1de5d7225a40e4f28c35975909"
}
]
},
"source": {
"advisory": "GHSA-frf2-c9q3-qg9m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26224",
"datePublished": "2020-11-16T21:25:12",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:49:07.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4074 (GCVE-0-2020-4074)
Vulnerability from cvelistv5
Published
2020-07-02 17:05
Modified
2024-08-04 07:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.0.0, < 1.7.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-ccvh-jh5x-mpg4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/30b6a7bdaca9cb940d3ce462906dbb062499fc30"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0.0, \u003c 1.7.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-07T18:32:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-ccvh-jh5x-mpg4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/30b6a7bdaca9cb940d3ce462906dbb062499fc30"
}
],
"source": {
"advisory": "GHSA-ccvh-jh5x-mpg4",
"discovery": "UNKNOWN"
},
"title": "Improper Authentication",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4074",
"STATE": "PUBLIC",
"TITLE": "Improper Authentication"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.0.0, \u003c 1.7.6.6"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands. The problem is fixed in 1.7.6.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-ccvh-jh5x-mpg4",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-ccvh-jh5x-mpg4"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/30b6a7bdaca9cb940d3ce462906dbb062499fc30",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/30b6a7bdaca9cb940d3ce462906dbb062499fc30"
}
]
},
"source": {
"advisory": "GHSA-ccvh-jh5x-mpg4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-4074",
"datePublished": "2020-07-02T17:05:25",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-08-04T07:52:20.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21628 (GCVE-0-2024-21628)
Vulnerability from cvelistv5
Published
2024-01-02 21:17
Modified
2024-11-14 19:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-16T16:32:28.268211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:10:16.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig\u0027s escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T21:17:14.733Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597"
}
],
"source": {
"advisory": "GHSA-vr7m-r9vm-m4wf",
"discovery": "UNKNOWN"
},
"title": "XSS can be stored in DB from \"add a message form\" in order detail page (FO)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21628",
"datePublished": "2024-01-02T21:17:14.733Z",
"dateReserved": "2023-12-29T03:00:44.954Z",
"dateUpdated": "2024-11-14T19:10:16.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1230 (GCVE-0-2025-1230)
Vulnerability from cvelistv5
Published
2025-02-12 10:38
Modified
2025-02-12 16:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Prestashop | Prestashop |
Version: 8.1.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:56:07.683783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:07:33.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Prestashop",
"vendor": "Prestashop",
"versions": [
{
"status": "affected",
"version": "8.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "David Aparicio Salcedo"
}
],
"datePublic": "2025-02-11T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through \u2018/\u0026lt;admin_directory\u0026gt;/index.php\u2019, affecting the \u2018link\u2019 parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through \u2018/\u003cadmin_directory\u003e/index.php\u2019, affecting the \u2018link\u2019 parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T10:38:08.379Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-vulnerability-prestashop"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The manufacturer is working on a fix for this vulnerability. It is recommended to update to the latest version available."
}
],
"value": "The manufacturer is working on a fix for this vulnerability. It is recommended to update to the latest version available."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-Site Scripting (XSS) vulnerability in Prestashop",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-1230",
"datePublished": "2025-02-12T10:38:08.379Z",
"dateReserved": "2025-02-11T12:01:22.175Z",
"dateUpdated": "2025-02-12T16:07:33.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26129 (GCVE-0-2024-26129)
Vulnerability from cvelistv5
Published
2024-02-19 21:59
Modified
2024-08-01 23:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 8.1.0, < 8.1.4 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:38:34.924222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:43:47.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"
},
{
"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T21:59:54.426Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"
},
{
"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure",
"tags": [
"x_refsource_MISC"
],
"url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"
}
],
"source": {
"advisory": "GHSA-3366-9287-7qpr",
"discovery": "UNKNOWN"
},
"title": "Prestashop vulnerable to path disclosure in JavaScript variable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26129",
"datePublished": "2024-02-19T21:59:54.426Z",
"dateReserved": "2024-02-14T17:40:03.687Z",
"dateUpdated": "2024-08-01T23:59:32.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5285 (GCVE-0-2020-5285)
Vulnerability from cvelistv5
Published
2020-04-20 16:50
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.6.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-j3r6-33hf-m8wh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/b6aea152988d81e1586f1c03f2e72c9ef2fe7df7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.6.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:50:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-j3r6-33hf-m8wh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/b6aea152988d81e1586f1c03f2e72c9ef2fe7df7"
}
],
"source": {
"advisory": "GHSA-j3r6-33hf-m8wh",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS with back parameter in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5285",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS with back parameter in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.6.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is a reflected XSS with `back` parameter. The problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-j3r6-33hf-m8wh",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-j3r6-33hf-m8wh"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/b6aea152988d81e1586f1c03f2e72c9ef2fe7df7",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/b6aea152988d81e1586f1c03f2e72c9ef2fe7df7"
}
]
},
"source": {
"advisory": "GHSA-j3r6-33hf-m8wh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5285",
"datePublished": "2020-04-20T16:50:13",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5264 (GCVE-0-2020-5264)
Vulnerability from cvelistv5
Published
2020-04-20 16:40
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.088Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:40:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3a"
}
],
"source": {
"advisory": "GHSA-48vj-vvr6-jj4f",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in security compromised page of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5264",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS in security compromised page of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4f"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3a",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3a"
}
]
},
"source": {
"advisory": "GHSA-48vj-vvr6-jj4f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5264",
"datePublished": "2020-04-20T16:40:19",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15081 (GCVE-0-2020-15081)
Vulnerability from cvelistv5
Published
2020-07-02 16:45
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-548 - {"":"Exposure of Information Through Directory Listing"}
Summary
In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in the upload directory.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.0.0, < 1.7.6.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-997j-f42g-x57c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/bac9ea6936b073f84b1abd9864317af3713f1901"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.0.0, \u003c 1.7.6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in the upload directory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "{\"CWE-548\":\"Exposure of Information Through Directory Listing\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T16:45:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-997j-f42g-x57c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/bac9ea6936b073f84b1abd9864317af3713f1901"
}
],
"source": {
"advisory": "GHSA-997j-f42g-x57c",
"discovery": "UNKNOWN"
},
"title": "Information exposure in the upload directory in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15081",
"STATE": "PUBLIC",
"TITLE": "Information exposure in the upload directory in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.0.0, \u003c 1.7.6.6"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is information exposure in the upload directory. The problem is fixed in version 1.7.6.6. A possible workaround is to add an empty index.php file in the upload directory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-548\":\"Exposure of Information Through Directory Listing\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-997j-f42g-x57c",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-997j-f42g-x57c"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/bac9ea6936b073f84b1abd9864317af3713f1901",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/bac9ea6936b073f84b1abd9864317af3713f1901"
}
]
},
"source": {
"advisory": "GHSA-997j-f42g-x57c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15081",
"datePublished": "2020-07-02T16:45:13",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5270 (GCVE-0-2020-5270)
Vulnerability from cvelistv5
Published
2020-04-20 16:45
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.6.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.6.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:45:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458"
}
],
"source": {
"advisory": "GHSA-375w-q56h-h7qc",
"discovery": "UNKNOWN"
},
"title": "Open redirection when using back parameter of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5270",
"STATE": "PUBLIC",
"TITLE": "Open redirection when using back parameter of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.6.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.7.6.0 and 1.7.6.5, there is an open redirection when using back parameter. The impacts can be many, and vary from the theft of information and credentials to the redirection to malicious websites containing attacker-controlled content, which in some cases even cause XSS attacks. So even though an open redirection might sound harmless at first, the impacts of it can be severe should it be exploitable. The problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-375w-q56h-h7qc"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/cd2219dca49965ae8421bb5a53fc301f3f23c458"
}
]
},
"source": {
"advisory": "GHSA-375w-q56h-h7qc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5270",
"datePublished": "2020-04-20T16:45:15",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43664 (GCVE-0-2023-43664)
Vulnerability from cvelistv5
Published
2023-09-28 18:16
Modified
2024-09-20 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 8.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.845Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T17:48:03.346969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T19:26:46.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn\u0027t check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T18:16:57.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-gvrg-62jp-rf7j"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/15bd281c18f032a5134a8d213b44d24829d45762"
}
],
"source": {
"advisory": "GHSA-gvrg-62jp-rf7j",
"discovery": "UNKNOWN"
},
"title": "Employee without any access rights can list all installed modules in Prestashop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43664",
"datePublished": "2023-09-28T18:16:57.658Z",
"dateReserved": "2023-09-20T15:35:38.148Z",
"dateUpdated": "2024-09-20T19:26:46.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5278 (GCVE-0-2020-5278)
Vulnerability from cvelistv5
Published
2020-04-20 16:50
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.5.4.0, < 1.7.6.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrpj-67mq-3fr5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ea85210d6e5d81f058b55764bc4608cdb0b36c5d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.4.0, \u003c 1.7.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-20T16:50:23",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrpj-67mq-3fr5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ea85210d6e5d81f058b55764bc4608cdb0b36c5d"
}
],
"source": {
"advisory": "GHSA-mrpj-67mq-3fr5",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS on Exception page of PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5278",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS on Exception page of PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.5.4.0, \u003c 1.7.6.5"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrestaShop between versions 1.5.4.0 and 1.7.6.5, there is a reflected XSS on Exception page The problem is fixed in 1.7.6.5"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrpj-67mq-3fr5",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-mrpj-67mq-3fr5"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ea85210d6e5d81f058b55764bc4608cdb0b36c5d",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/ea85210d6e5d81f058b55764bc4608cdb0b36c5d"
}
]
},
"source": {
"advisory": "GHSA-mrpj-67mq-3fr5",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5278",
"datePublished": "2020-04-20T16:50:24",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15160 (GCVE-0-2020-15160)
Vulnerability from cvelistv5
Published
2020-09-24 22:10
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: >= 1.7.5.0, < 1.7.6.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7.5.0, \u003c 1.7.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-09T18:06:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html"
}
],
"source": {
"advisory": "GHSA-fghq-8h87-826g",
"discovery": "UNKNOWN"
},
"title": "Blind SQL Injection in PrestaShop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15160",
"STATE": "PUBLIC",
"TITLE": "Blind SQL Injection in PrestaShop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrestaShop",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.7.5.0, \u003c 1.7.6.8"
}
]
}
}
]
},
"vendor_name": "PrestaShop"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g",
"refsource": "CONFIRM",
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-fghq-8h87-826g"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8",
"refsource": "MISC",
"url": "https://github.com/PrestaShop/PrestaShop/commit/3fa0dfa5a8f4b149c7c90b948a12b4f5999a5ef8"
},
{
"name": "http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162140/PrestaShop-1.7.6.7-SQL-Injection.html"
}
]
},
"source": {
"advisory": "GHSA-fghq-8h87-826g",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15160",
"datePublished": "2020-09-24T22:10:19",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30545 (GCVE-0-2023-30545)
Vulnerability from cvelistv5
Published
2023-04-25 17:47
Modified
2025-02-03 19:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrestaShop | PrestaShop |
Version: < 1.7.8.9 Version: >= 8.0.0, < 8.0.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.796Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8r4m-5p6p-52rp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8r4m-5p6p-52rp"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/cddac4198a47c602878a787280d813f60c6c0630",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/cddac4198a47c602878a787280d813f60c6c0630"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/d900806e1841a31f26ff0a1843a6888fc1bb7f81",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d900806e1841a31f26ff0a1843a6888fc1bb7f81"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T19:36:12.172162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T19:36:21.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.8.9"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -\u003e Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-25T17:47:01.579Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8r4m-5p6p-52rp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8r4m-5p6p-52rp"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/cddac4198a47c602878a787280d813f60c6c0630",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/cddac4198a47c602878a787280d813f60c6c0630"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/d900806e1841a31f26ff0a1843a6888fc1bb7f81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/d900806e1841a31f26ff0a1843a6888fc1bb7f81"
}
],
"source": {
"advisory": "GHSA-8r4m-5p6p-52rp",
"discovery": "UNKNOWN"
},
"title": "PrestaShop arbitrary file read vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30545",
"datePublished": "2023-04-25T17:47:01.579Z",
"dateReserved": "2023-04-12T15:19:33.767Z",
"dateUpdated": "2025-02-03T19:36:21.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}