[CVE-2023-30149] Improper neutralization of SQL parameter in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop

SQL injection vulnerability in the City Autocomplete (cityautocomplete) module from ebewe.net for PrestaShop, prior to version 1.8.12 (for PrestaShop version 1.5/1.6) or prior to 2.0.3 (for PrestaShop version 1.7), allows remote attackers to execute arbitrary SQL commands via the type, input_name. or q parameter in the autocompletion.php front controller.

[CVE-2023-30197] Improper Limitation of a Pathname to a Restricted Directory in Webbax - My inventory module for PrestaShop

In the module “My inventory” (myinventory) from Webbax for PrestaShop, a guest can download personnal informations without restriction by performing a path traversal attack.

[CVE-2023-33280] Improper neutralization of multiple SQL parameters in the scquickaccounting module for PrestaShop

In the module “SC Quick Accounting” (scquickaccounting), an anonymous user can perform a SQL injection. The module have been patched in version 3.7.4.

[CVE-2023-33279] Improper neutralization of multiple SQL parameters in the SC Fix My Prestashop module for PrestaShop

In the module “SC Fix My Prestashop” (scfixmyprestashop), an anonymous user can perform a SQL injection. The module is obsolete and must be deleted.

[CVE-2023-33278] Improper neutralization of multiple SQL parameters in the scexportcustomers module for PrestaShop

In the module “SC Export Customers” (scexportcustomers), an anonymous user can perform SQL injections. The module have been patched in version 3.6.2.

[CVE-2023-30196] Improper Limitation of a Pathname to a Restricted Directory in Webbax - Sales Booster module for PrestaShop

In the module “Sales Booster” (salesbooster) from Webbax for PrestaShop, a guest can download personnal informations without restriction by performing a path traversal attack.

[CVE-2023-30191] Improper neutralization of SQL parameter in Prestaeg - CDesigner module for PrestaShop

In the module “CDesigner” (cdesigner) from Prestaeg for PrestaShop, a guest can perform SQL injection in affected versions.

[CVE-2023-30199] Improper Limitation of a Pathname to a Restricted Directory in Webbax - Custom Exporter module for PrestaShop

In the module “Custom Exporter” (customexporter) from Webbax for PrestaShop, a guest can download personnal informations without restriction by performing a path traversal attack.

[CVE-2023-30192] Improper neutralization of SQL parameter in PosThemes - Search Products for PrestaShop

In the module “Search Products” (possearchproducts) from PosThemes for PrestaShop, a guest can perform SQL injection in affected versions.

[CVE-2023-30194] Improper neutralization of SQL parameter in Posthemes - Static Footer module for PrestaShop

In the module “Static Footer” (posstaticfooter) from PosThemes for PrestaShop, a guest can perform SQL injection in affected versions.

[CVE-2023-30281] Exposure of Private Personal Information to an Unauthorized Actor in SC Quick Accounting module for PrestaShop

In the module “SC Quick Accounting” (scquickaccounting), a guest can download personnal informations without restriction.

[CVE-2023-30282] Exposure of Private Personal Information to an Unauthorized Actor in SC Export Customers module for PrestaShop

In the module “SC Export Customers” (scexportcustomers), a guest can download personnal informations without restriction.

[CVE-2023-30189] Improper neutralization of SQL parameter in Posthemes - Static Blocks module for PrestaShop

In the module “Static Blocks” (posstaticblocks) from PosThemes for PrestaShop, a guest can perform SQL injection in affected versions.

[CVE-2023-27843] Improper neutralization of a SQL parameter in askforaquote module for PrestaShop

In the module “Ask for a Quote - Convert to order, messaging system” (askforaquote) for PrestaShop, an anonymous user can perform SQL injection before 5.4.3. Release 5.4.3 fixed this security issue.

[CVE-2023-26865] Improper neutralization of a SQL parameter in bdroppy module for PrestaShop

In the module “BDroppy- The best brands for your dropshipping business” (bdroppy) for PrestaShop, an attacker can perform a blind SQL injection before 2.2.27. Release 2.2.28 fixed this security issue.

[CVE-2023-28839] Improper neutralization of a SQL parameter in Shoppingfeed module for PrestaShop

SQL injection vulnerability found in the module “Shoppingfeed Prestashop Plugin (Feed&Order)” (aka shoppingfeed) for PrestaShop from 1.4.0 to 1.8.2. (1.8.3 fix the issue) allow a remote attacker to gain privileges.

[CVE-2023-27844] Improper neutralization of SQL parameter in leurlrewrite for PrestaShop

In the module “LitExtension Url Plugin” (leurlrewrite) for PrestaShop, an attacker can perform SQL injection up to 1.0. Even though the module has been patched in version 1.0, the version number was not incremented at the time. We consider the issue resolved in versions after 1.0.

[CVE-2023-27032] Improper neutralization of SQL parameter in Idnovate - AdvancedPopupCreator module for PrestaShop

In the module “Advanced Popup Creator” (advancedpopupcreator) from Idnovate for PrestaShop, a guest can perform SQL injection in affected versions.

[CVE-2023-27033] Unrestricted Upload of File with Dangerous Type in Cdesigner module for PrestaShop

In the module “Cdesigner” (cdesigner) up to 3.2.1 (3.2.2 fix the issue), a guest can upload files with extensions .php.+ (like .php7)

[CVE-2023-26860] Improper neutralization of SQL parameter in lgbudget module for PrestaShop

In the module “Save your carts and buy later” (lgbudget) for PrestaShop, an authenticated user can perform a blind SQL injection up to 1.0.3. Release 1.0.4 fixed this security issue.

[CVE-2023-28843] Improper neutralization of SQL parameter in PayPal module for PrestaShop 1.6 and 1.5

SQL injection vulnerability found in the module “PayPal Official Module” (aka paypal) for PrestaShop from 3.12.0 to 3.16.3. (3.16.4 fix the issue) allow a remote attacker to gain privileges.

[CVE-2023-27639][CVE-2023-27640][CWE-22] Multiple path traversal in Custom Product Designer (tshirtecommerce) module for PrestaShop

In the Custom Product Designer (tshirtecommerce) module for PrestaShop, HTTP requests can be forged using POST and GET parameters enabling a remote attacker to perform directory traversal on the system and view the contents of code files. Since the module appears not to have been maintained since 2019, it is strongly recommended to remove it.

[CVE-2023-26858] Improper neutralization of SQL parameter in faqs module for PrestaShop

In the module “Frequently Asked Questions (FAQ) page” (faqs) for PrestaShop, an attacker can perform SQL injection up to 3.1.5. Release 3.1.6 fixed this security issue.

[CVE-2023-27847] Improper neutralization of multiple SQL parameters in the xipblog module for PrestaShop

In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time. We consider the issue resolved in versions after 2.0.1.

[CVE-2023-27637][CVE-2023-27638][CWE-89] Improper neutralization of SQL parameters in module Prestashop Custom Product Designer (tshirtecommerce) for PrestaShop

In the module Custom Product Designer (tshirtecommerce), an anonymous user can perform an SQL injection attack. The vulnerability is actively exploited by bots. As the module doesn’t seems to be maintained since 2019, it’s strongly suggested to remove it.

[CVE-2023-27569]-[CVE-2023-27570] Improper neutralization of SQL parameters in Profileo : Tracking et Conversions (eo_tags) module for PrestaShop

In the module Tracking et Conversions (eo_tags) prior to version 1.4.19, an anonymous user can perform an SQL injection attack.

[CVE-2023-25206] Multiple improper neutralization of SQL parameters in ws_productreviews module for PrestaShop

In the module “Advanced Reviews: Photos, Reminder, Google Snippets” (ws_productreviews), an anonymous user can perform SQL injection in affected versions. 3.6.2 fixed vulnerabilities.

[CVE-2023-29630] Blind SQL injection vulnerability in Jms Vertical MegaMenu (jmsvermegamenu) PrestaShop module

The module Jms Vertical MegaMenu (jmsvermegamenu) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

[CVE-2023-29629] Blind SQL injection vulnerability in Jms Theme Layout (jmsthemelayout) PrestaShop module

The module Jms Theme Layout (jmsthemelayout) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

[CVE-2023-29631] Unrestricted upload vulnerability in Jms Slider (jmsslider) PrestaShop module

The module Jms Slider (jmsslider) from Joommasters contains an unrestricted upload of file with dangerous type vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

[CVE-2023-29632] Blind SQL injection vulnerability in Jms Page Builder (jmspagebuilder) PrestaShop module

The module Jms Page Builder (jmspagebuilder) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

[CVE-2023-29630] Blind SQL injection vulnerability in Jms MegaMenu (jmsmegamenu) PrestaShop module

The module Jms MegaMenu (jmsmegamenu) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

Blind SQL injection vulnerability in Jms Blog (jmsblog) PrestaShop module

The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

[CVE-2023-25170] Possible CSRF token fixation (CWE-352)

Not clear CSRF tokens upon login…

[CVE-2023-25207] Multiple improper neutralization of SQL parameters in DPD France module for PrestaShop

In the module “DPD France” (dpdfrance) for PrestaShop, a remote attaker can perform a blind SQL injection in affected versions. Release 6.1.3 fixed vulnerabilities.

[CVE-2023-24763] Multiple improper neutralization of SQL parameters in XenForum module for PrestaShop

In the module “Xen Forum” (xenforum) edited by App1pro, an authenticated user can perform SQL injection in affected versions. 2.13.0 fixed vulnerabilities.

CWE-79 Danger of stored XSS vulnerability in CMS especially for Wordpress

As a developer, the severity level is often considered to be low. By underestimating the gravity, we lower our guard against these vulnerabilities. However, some types of vulnerabilities called “stored XSS” are particularly critical when they spread from the front office to the back office.

Backoffices's compromised links

CWE-89 (SQL Injection) on Prestashop can force a super admin creation without difficulty. If your Prestashop suffer of a known backoffice’s link (see list below), the attacker can use the “Forgotten password” functionnality after the creation of the super admin user by SQL Injection and then, will be able to connect to the Shop’s backoffice.

[CVE-2023-23315] Improper neutralization of an SQL parameter in stripejs module for PrestaShop

The PrestaShop e-commerce platform module “Stripe Payment Pro (SCA-ready)” aka stripejs (*) contains a Blind SQL injection vulnerability up to version 4.5.5. Release 4.5.5 fixed the vulnerability.

CWE-79 Danger of stored XSS vulnerability in CMS especially for PrestaShop

As a developer, the severity level is often considered to be low. By underestimating the gravity, we lower our guard against these vulnerabilities. However, some types of vulnerabilities called “stored XSS” are particularly critical when they spread from the front office to the back office.

[CVE-2022-46965] Improper neutralization of an SQL parameter in Administrative Mandate module for PrestaShop

In the module “Administrative Mandate” (totadministrativemandate), an authenticated user can perform SQL injection in affected versions.

[CVE-2022-46639] Directory traversal in the descarga_etiqueta.php component of Correos Prestashop

From version v1.1.0.0 and v1.2.x+ correosoficial Module for Prestashop 1.7.x allows remote attackers to read local files and attack intranet hosts.

[CVE-2023-26864] Blind SQL injection vulnerability in Redirections Manager (smplredirectionsmanager) PrestaShop module

The module Redirections Manager (smplredirectionsmanager) from Smart Plugs contains a Blind SQL injection vulnerability up to version 1.1.19. This module is for the PrestaShop e-commerce platform.

[CVE-2022-22897] Major updates > SQL Injections in PrestaShop appagebuilder module up to 2.4.5

PrestaShop Ap Pagebuilder module versions 2.4.5 and below suffer from several remote SQL injection vulnerability.

[CVE-2022-44727] Blind SQL injection vulnerability in PrestaShop lgcookieslaw module

The PrestaShop e-commerce platform module EU Cookie Law GDPR (Banner + Blocker) contains a Blind SQL injection vulnerability up to version 2.1.2. This module is widely deployed and is a “Best seller” on the add-ons store.

Chain: SQL Injection (CWE-89) and Eval Injection (CWE-95)

In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP’s Eval function on attacker input.

[CVE-2022-31101] Invalid order neutralization in an SQL query in PrestaShop blockwishlist module

blockwishlist is a prestashop extension which adds a block containing the customer’s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.

[CVE-2020-9368][CWE-22] Path traversal in Olea Gift On Order module (giftonorder) module for PrestaShop

The Module Olea Gift On Order module through 5.0.8 for PrestaShop enables an unauthenticated user to read arbitrary files on the server via getfile.php?file=/.. directory traversal.

[CVE-2017-9841] PHUnit dependancy in PrestaShop and modules allows remote arbitrary PHP code execution

Modules include the vulnerable dependancy are:

• 1-Click Upgrade (autoupgrade) from 4.0.0 to 4.10.1
• Cart Abandonment Pro (pscartabandonmentpro) from 2.0.1 to 2.0.10
• Faceted Search (ps_facetedsearch) from 2.2.1 to 3.4.1
• Merchant Expertise (gamification) from 2.1.0 to 2.3.2
• PrestaShop Checkout (ps_checkout) from 1.0.8 to 1.2.9