IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2024-41670] Improperly Implemented Security Check for Standard in PayPal Official for PrestaShop
In the module “PayPal Official” for PrestaShop 1.7+ release <= 6.4.1 and for PrestaShop 1.6 release <= 3.18.0, a malicious customer can confirm as “payment accepted” an order even if payment is finally declined by PayPal.
-
[CVE-2024-36683] Improper neutralization of SQL parameter in Smart Modules - Products Alert module for PrestaShop
In the module “Products Alert” (productsalert) up to version 1.7.4 from Smart Modules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-34989] Improper neutralization of SQL parameter in RSI PDF/HTML catalog evolution (prestapdf) module for PrestaShop
In the module RSI PDF/HTML catalog evolution (prestapdf) from RSI for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-36682] Exposure of Private Personal Information to an Unauthorized Actor in Promokit.eu - Theme settings module for PrestaShop
In the module “Theme settings” (pk_themesettings) from Promokit.eu for PrestaShop, a guest can download all emails collected while SHOP is in maintenance mode.
-
[CVE-2024-36681] Improper neutralization of SQL parameter in Promokit.eu - Isotope module for PrestaShop
In the module “Isotope” (pk_isotope) from Promokit.eu for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-50029] Improper Control of Generation of Code in PrestaAddons - M4 PDF Extensions module for PrestaShop
In the module “M4 PDF Extensions” (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop, a guest can perform PHP code injection in affected versions.
-
[CVE-2024-34992] Improper neutralization of SQL parameter in FME Modules - Help Desk - Customer Support Management System module for PrestaShop
In the module “Help Desk - Customer Support Management System” (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-34991] Exposure of Private Personal Information to an Unauthorized Actor in Quadra Informatique - Axepta module for PrestaShop
In the module “Axepta” (axepta) from Quadra Informatique for PrestaShop, a guest can download partial credit card information (expiry date) / postal address / email / etc without restriction.
-
[CVE-2024-34988] Improper neutralization of SQL parameter in Buy Addons - Complete for Create a Quote in Frontend + Backend Pro module for PrestaShop
In the module “Complete for Create a Quote in Frontend + Backend Pro” (askforaquotemodul) up to version 1.0.52 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-36680] Improper neutralization of SQL parameter in Promokit.eu - Facebook module for PrestaShop
In the module “Facebook” (pkfacebook) from Promokit.eu for PrestaShop, a guest can perform SQL injection in affected versions.