Friends-Of-Presta Security Advisories
About
  • Jan 31, 2023 • #modules • high (8.3)

    [CVE-2022-46965] Improper neutralization of an SQL parameter in Administrative Mandate module for PrestaShop

    In the module “Administrative Mandate” (totadministrativemandate), an authenticated user can perform SQL injection in affected versions.

  • Jan 23, 2023 • #modules • high (7.5)

    [CVE-2022-46639] Directory traversal in the descarga_etiqueta.php component of Correos Prestashop

    From version v1.1.0.0 and v1.2.x+ correosoficial Module for Prestashop 1.7.x allows remote attackers to read local files and attack intranet hosts.

  • Jan 17, 2023 • #modules • critical (9.8)

    Blind SQL injection vulnerability in Redirections Manager (smplredirectionsmanager) PrestaShop module

    The module Redirections Manager (smplredirectionsmanager) from Smart Plugs contains a Blind SQL injection vulnerability up to version 1.1.19. This module is for the PrestaShop e-commerce platform.

  • Jan 5, 2023 • #modules • critical (9.8)

    [CVE-2022-22897] Major updates > SQL Injections in PrestaShop appagebuilder module up to 2.4.5

    PrestaShop Ap Pagebuilder module versions 2.4.5 and below suffer from several remote SQL injection vulnerability.

  • Nov 6, 2022 • #modules • critical (9.4)

    [CVE-2022-44727] Blind SQL injection vulnerability in PrestaShop lgcookieslaw module

    The PrestaShop e-commerce platform module EU Cookie Law GDPR (Banner + Blocker) contains a Blind SQL injection vulnerability up to version 2.1.2. This module is widely deployed and is a “Best seller” on the add-ons store.

  • Jul 25, 2022 • #core • critical (9.8)

    Chain: SQL Injection (CWE-89) and Eval Injection (CWE-95)

    In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP’s Eval function on attacker input.

  • Jun 24, 2022 • #modules • high (8.1)

    [CVE-2022-31101] Invalid order neutralization in an SQL query in PrestaShop blockwishlist module

    blockwishlist is a prestashop extension which adds a block containing the customer’s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.

  • Jan 7, 2020 • #dependancies • 9.8

    [CVE-2017-9841] PHUnit dependancy in PrestaShop and modules allows remote arbitrary PHP code execution

    Modules include the vulnerable dependancy are: 1-Click Upgrade (autoupgrade) from 4.0.0 to 4.10.1, Cart Abandonment Pro (pscartabandonmentpro) from 2.0.1 to 2.0.10, Faceted Search (ps_facetedsearch) from 2.2.1 to 3.4.1, Merchant Expertise (gamification) from 2.1.0 to 2.3.2, PrestaShop Checkout (ps_checkout) from 1.0.8 to 1.2.9.

Subscribe

  • Friends Of Presta

Friends Of Presta is a none profit organization that supports the open-source ecommerce platform PrestaShop.