Summary

• CVE ID: CVE-2026-39079
• Published at: 2026-05-18
• Advisory source: labs.esokia.com (esokia.com)
• Platform: PrestaShop
• Product: upsshipping
• Impacted release: all versions (through at least 2.4.0) - no fixed version, vendor defunct
• Product author: Agence Web 360
• Weakness: CWE-552 (primary), CWE-532 (contributing), CWE-295 (secondary)
• Severity: high (8.6)

Description

The modules/upsshipping/logs/ directory ships without any access control mechanism. There is no .htaccess file anywhere in the module, and the logs/ directory is the only subdirectory without the blank index.php guard. As a result, any file written to that directory is directly reachable over HTTP without authentication.

Filenames written by the module follow a deterministic pattern based on time():

UPSRatingApi-request-{unix_timestamp}.xml
UPSShippingApi-request-{unix_timestamp}.xml
UPSTrackingApi-request-{unix_timestamp}.xml

(and their -response- counterparts). Enumeration of historical files is therefore trivial.

In lib/UPSBaseApi.php, the catch (Exception $e) block of the SOAP call writes the full request and response to disk unconditionally, regardless of the $this->log debug flag. Every UPS API error (invalid tracking number, timeout, validation rejection, and so on) leaves a record on disk containing the full SOAP envelope, including the UPSSecurity header with the merchant’s UPS API credentials in clear text.

The clearLogs() routine intended to remove files older than 30 minutes does not run reliably. On a confirmed affected instance, the directory contained 2,381,841 XML files (~ 8.7 GB) spanning February 2023 to April 2026.

Example of the data exposed in a single request file (values redacted):

<ns3:Username>XXXXXX</ns3:Username>
<ns3:Password>XXXXXX</ns3:Password>
<ns3:AccessLicenseNumber>XXC2BB3311XXXXXX</ns3:AccessLicenseNumber>
<ns2:ShipperNumber>3XYXXX</ns2:ShipperNumber>
<ns2:TaxIdentificationNumber>FR00819XXXX</ns2:TaxIdentificationNumber>
<ns2:Name>Customer Name</ns2:Name>
<ns2:Phone><ns2:Number>460768XXXXXX</ns2:Number></ns2:Phone>
<ns2:AddressLine>Västervägen XX</ns2:AddressLine>
<ns2:City>Vindeln</ns2:City>
<ns2:PostalCode>922 31</ns2:PostalCode>
<ns2:CountryCode>SE</ns2:CountryCode>

A secondary weakness exists in lib/UPSLocatorApi.php, where TLS certificate validation is disabled (CURLOPT_SSL_VERIFYPEER=0, CURLOPT_SSL_VERIFYHOST=0), enabling man-in-the-middle interception of Locator API traffic (CWE-295).

The vendor (Agence Web 360, Golfe-Juan, France) is confirmed defunct: the domain agence-web-360.com is listed for sale, the Facebook page has been inactive since 2016, and prior contact attempts over the past years received no response. The module is no longer maintained and no fix will be released.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

The Scope is rated as Changed because the exposed credentials and technical data belong to a separate security authority (the merchant’s UPS account / UPS API platform), alongside customer personal data subject to GDPR.

Possible malicious usage

• Retrieve valid UPS API credentials (Username, Password, AccessLicenseNumber) of the affected merchant
• Retrieve the UPS shipper account number and use it to create fraudulent shipments billed to the merchant’s UPS account
• Retrieve customer personally identifiable information (full names, postal addresses, phone numbers, order references)
• Trigger GDPR breach-notification obligations for the affected merchant

Patch

No vendor patch will be released. The vendor is defunct and unreachable.

The only durable remediation is to fully remove the module from the PrestaShop installation. Disabling the module from the back office is not sufficient: the files remain on disk and the logs/ directory remains reachable over HTTP. The module must be uninstalled and the modules/upsshipping/ directory deleted from the filesystem.

As a temporary holding measure only, while a migration to a maintained shipping module is in progress, merchants can block public access to the logs directory at the web-server level.

Apache (modules/upsshipping/logs/.htaccess):

# Apache 2.4+
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

# Apache 2.2 fallback
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>

Options -Indexes -ExecCGI
<FilesMatch ".*">
    SetHandler default-handler
</FilesMatch>

nginx (inside the server block):

location ^~ /modules/upsshipping/logs/ {
    deny all;
    return 403;
}

In all cases, the existing XML log files should be purged, the UPS API credentials rotated (UPS account password and AccessLicenseNumber), and UPS account activity reviewed for unauthorized shipments. GDPR breach-notification obligations must be assessed.

Other recommendations

• It’s highly recommended to fully remove the module since no fix will ever be released by the vendor. If the module is still required, migrate to a maintained alternative as soon as possible.
• Inventory all installed modules and identify those whose vendor is no longer active. A module from a defunct vendor will never receive a security fix and should be removed, not merely disabled.
• Restrict direct HTTP access to module subdirectories that should never be web-reachable (logs/, cache/, tmp/, tests/, exports/, etc.) at the web-server level, as a defense-in-depth measure independent of module-shipped .htaccess or index.php guards.
• Review the use of verbose logging in production. Any logging mechanism that writes credentials, tokens or PII to disk should be disabled, regardless of vendor “debug flags”. When logs are unavoidable, store them outside the web root and use unpredictable filenames.
• Activate OWASP CRS rules on your WAF to block suspicious requests targeting common module log/debug paths and to rate-limit enumeration attempts.

Timeline

Links

• Esokia security advisory
• National Vulnerability Database
• Vendor (defunct, domain for sale)
• Vendor Facebook page (inactive since 2016)

Summary

• CVE ID: CVE-2025-69633
• Published at: 2026-02-13
• Advisory source: labs.esokia.com (esokia.com)
• Platform: PrestaShop
• Product: advancedpopupcreator
• Impacted release: < 1.2.7 (1.2.7 fixed issue)
• Product author: Idnovate
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Up to version 1.2.6, SQL queries in the FrontController endpoint popup.php of the Advanced Popup Creator (advancedpopupcreator) module can be exploited through trivial HTTP requests to perform SQL injection via the fromController parameter submitted through POST or GET.

This vulnerability was observed during incident response investigations and may have been actively exploited in the wild.

The vendor confirmed that the vulnerability has been present since at least version 1.1.26. The exact version in which it was introduced has not been determined. Therefore, we consider that all versions prior to 1.2.7 are vulnerable.

This vulnerability relies on PrestaShop’s FrontController, which allows attackers to hide the module controller’s path during the exploit. As a result, conventional frontend logs won’t reveal that this vulnerability is being exploited. Only POST / will be visible in logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Retrieve administrator credentials and ultimately obtain admin access to BackOffice
• Discover back-office URL
• Extract sensitive database information

Patch

The issue was fixed by sanitizing $controller using pSQL():

- OR FIND_IN_SET("' . $controller . '", `controller_exceptions`))';
+ OR FIND_IN_SET("' . pSQL($controller) . '", `controller_exceptions`))';

Applied at two different places in the code:

• Line ~371
• Line ~986

Fixed version: 1.2.7

Other recommendations

• It’s highly recommended to upgrade the module to the latest version or to delete the module if unused.
• Enforce strong Back Office authentication controls. Enable Two-Factor Authentication (2FA), preferably TOTP-based for all accounts in BackOffice. Make sure that the module is not storing TOTP secret keys in plaintext within the database.
• Restrict and rotate the Back Office URL. Do not expose the administration URL publicly. If it has been disclosed or indexed, rename and restrict it immediately.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Download page on PrestaShop Marketplace
• Esokia security advisory
• National Vulnerability Database

Summary

• CVE ID: CVE-2025-61922
• Published at: 2025-10-16
• Advisory source: PrestaShopCorp GitHub Security Advisory
• Platform: PrestaShop
• Product: ps_checkout
• Impacted release: >= 1.3.0, < 4.4.1, < 5.0.5 (see version details below)
• Product author: PrestaShop
• Weakness: CWE-358
• Severity: critical (9.1)

Description

The issue was introduced in PrestaShop Checkout 1.3.0. A missing validation on the Express Checkout feature allows attackers to perform silent authentication, leading to customer account takeover via email. All versions above 1.3.0 are vulnerable except the patched versions.

Important note about version numbering: The first digit of the version displayed in the PrestaShop back office corresponds to the PrestaShop version. Therefore:

• For PrestaShop 1.7: versions < 7.5.0.5 require an update
• For PrestaShop 8: versions < 8.5.0.5 require an update
• For PrestaShop 9: versions < 9.5.0.5 require an update

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Possible malicious usage

• Customer account takeover
• Unauthorized order placement using compromised accounts

Patches

The problem has been patched in the following versions published on 2025-10-16:

• v4.4.1 for PrestaShop 1.7 (build number: 7.4.4.1)
• v4.4.1 for PrestaShop 8 (build number: 8.4.4.1)
• v5.0.5 for PrestaShop 1.7 (build number: 7.5.0.5)
• v5.0.5 for PrestaShop 8 (build number: 8.5.0.5)
• v5.0.5 for PrestaShop 9 (build number: 9.5.0.5)

Read the PrestaShop Checkout Versioning policy to learn more about build numbers and versions.

Other recommendations

• It’s highly recommended to upgrade the module to the latest patched version immediately.
• Review your logs for any suspicious authentication activities
• Consider notifying affected customers if you suspect account compromise
• Monitor for unusual order or account activity patterns

Timeline

Credits

We would like to thank Léo CUNÉAZ for reporting the issue.

Links

• PrestaShop Checkout on PrestaShop Addons
• PrestaShopCorp GitHub Security Advisory GHSA-54hq-mf6h-48xh
• National Vulnerability Database

Summary

• CVE ID: CVE-2025-51586
• Published at: 2025-09-04
• Platform: PrestaShop (Core)
• Impacted release: from 1.7 to 8.2.2 - fixed in 8.2.3
• Product author: PrestaShop
• Weakness: CWE-359 – Exposure of Private Information (‘Privacy Violation’)
• Severity: Moderate.
  • CVSS v3.1 base score: 4.2 (as assessed in the PrestaShop advisory)
  • Based on the criteria applied in this advisory: 3.7 (Low) (see vector string below)

Root cause (before fix): the template variables for the reset form were assigned without first verifying that the reset_token matched the employee’s currently valid reset token (including validity window).

CVSS base metrics

• Attack vector: Network (AV:N)
• Attack complexity: High (AC:H)
• Privileges required: None (PR:N)
• User interaction: None (UI:N)
• Scope: Unchanged (S:U)
• Confidentiality: Low (C:L)
• Integrity: None (I:N)
• Availability: None (A:N)

Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - 3.7 (Low)

Proof of concept

When an invalid reset_token is supplied together with a valid id_employee, the application still renders the password reset form and includes the employee’s email address in a hidden field. By incrementing or iterating through id_employee values, an attacker can systematically enumerate all Back Office user emails.

For security reasons, the full proof of concept request/response sequence is not fully disclosed here. The vulnerability cannot be reliably mitigated by common WAF rules, as the flaw resides in the application logic itself.

Patch

Based on editor patch: https://github.com/PrestaShop/PrestaShop/pull/39479/commits/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb

Minimal logic hardening (as merged upstream)

Only render the reset form (and especially reset_email) if both parameters are present and the token is valid for the selected employee:

- // For reset password feature
- if ($reset_token = Tools::getValue('reset_token')) {
-     $this->context->smarty->assign('reset_token', $reset_token);
- }
- if ($id_employee = Tools::getValue('id_employee')) {
-     $this->context->smarty->assign('id_employee', $id_employee);
-     $employee = new Employee($id_employee);
-     if (Validate::isLoadedObject($employee)) {
-         $this->context->smarty->assign('reset_email', $employee->email);
-     }
- }
+ // For reset password feature (safe: only when token is valid)
+ $reset_token = Tools::getValue('reset_token');
+ $id_employee = Tools::getValue('id_employee');
+ if ($reset_token !== false && $id_employee !== false) {
+     $this->context->smarty->assign('reset_token', $reset_token);
+     $this->context->smarty->assign('id_employee', $id_employee);
+     $employee = new Employee((int) $id_employee);
+     if (Validate::isLoadedObject($employee)) {
+         $valid_reset_token = $employee->getValidResetPasswordToken();
+         if ($valid_reset_token !== false && hash_equals($valid_reset_token, (string) $reset_token)) {
+             $this->context->smarty->assign('reset_email', $employee->email);
+         }
+     }
+ }

Upstream fix is included in PrestaShop 8.2.3.

Other recommendations

• Enforce rate limiting on the password reset endpoint.
• Install a security module that enable 2FA for BackOffice login.
• Keep your Back Office URL secret and rotate it if leaked.
• Keep your PrestaShop up to date

References

• Upstream fix (commit inside 8.2.3 bump PR):
  https://github.com/PrestaShop/PrestaShop/pull/39479/commits/c97bdf10f77fedbe5a61a1dec5f96b3abb1d76fb
• PrestaShop repository: https://github.com/PrestaShop/PrestaShop
• PrestaShop security advisory: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-8xx5-h6m3-jr33
• CVE record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-51586
• Original author advisory: https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md

Timeline

Summary

• CVE ID: CVE-2023-45256
• Published at: 2025-06-10
• Advisory source: Friends-Of-Presta.org
• Platform: PrestaShop
• Product: MoneticoPaiement
• Impacted release: <= 1.1.0 (1.1.1 fixed issue)
• Product author: Monetico Paiement/EuroInformation
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Up to 1.1.0, SQL queries in FrontController endpoints transaction.php, callback.php and validation.php can be exploited with trivial HTTP calls to forge SQL injections through the POST or GET submitted TPE, MAC, societe, reference and aliascb variables.

This vulnerability relies on PrestaShop’s FrontController, which allows attackers to hide the module controller’s path during the exploit. As a result, conventional frontend logs won’t reveal that this vulnerability is being exploited. Only POST / will be visible in logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch

--- a/modules/MoneticoPaiement/MoneticoPaiement.php
+++ b/modules/MoneticoPaiement/MoneticoPaiement.php
@@ -137,7 +137,7 @@ class MoneticoPaiementCodeSite extends \ObjectModel
             $sql = new \DbQuery();
             $sql->select('*');
             $sql->from('monetico_code_site_3dsv2');
-            $sql->where('code_site_id = ' . $this->getIdCodeSite());
+            $sql->where('code_site_id = ' . (int)$this->getIdCodeSite());
 
             $this->set3DSV2(Db::getInstance()->executeS($sql));
         }
@@ -388,8 +388,8 @@ class MoneticoPaiementCodeSite extends \ObjectModel
             $sql = new \DbQuery();
             $sql->select('*');
             $sql->from('monetico_code_site_opts');
-            $sql->where('code_site_id = ' . $this->getIdCodeSite());
-            $sql->where('opt = "' . $name . '"');
+            $sql->where('code_site_id = ' . (int)$this->getIdCodeSite());
+            $sql->where('opt = "' . pSQL($name) . '"');
 
             $options = Db::getInstance()->executeS($sql);
             if ($multiple_option) {
@@ -416,7 +416,7 @@ class MoneticoPaiementCodeSite extends \ObjectModel
             $sql = new \DbQuery();
             $sql->select('*');
             $sql->from('monetico_code_site_3dsv2');
-            $sql->where('code_site_id = ' . $this->getIdCodeSite());
+            $sql->where('code_site_id = ' . (int)$this->getIdCodeSite());
 
             $data_3dsv2 = Db::getInstance()->executeS($sql);
         }
@@ -476,8 +476,8 @@ class MoneticoPaiementCodeSite extends \ObjectModel
             $sql = new \DbQuery();
             $sql->select('*');
             $sql->from('monetico_code_site_opts');
-            $sql->where('code_site_id = ' . $this->getIdCodeSite());
-            $sql->where('opt = "' . $name . '"');
+            $sql->where('code_site_id = ' . (int)$this->getIdCodeSite());
+            $sql->where('opt = "' . pSQL($name) . '"');
 
             $option = Db::getInstance()->executeS($sql);

--- a/modules/MoneticoPaiement/class/MoneticoPaiementEPT.php
+++ b/modules/MoneticoPaiement/class/MoneticoPaiementEPT.php
@@ -312,7 +312,7 @@ class MoneticoPaiementEPT extends \ObjectModel
         $sql = new \DbQuery();
         $sql->select('*');
         $sql->from('monetico_code_site');
-        $sql->where('code_site_ept_id = ' . $this->id_ept);
+        $sql->where('code_site_ept_id = ' . (int)$this->id_ept);
         return Db::getInstance()->executeS($sql);
     }
 
@@ -108,7 +108,7 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('ept_number');
         $sql->from('monetico_ept');
-        $sql->where('id_ept = ' . $id);
+        $sql->where('id_ept = ' . (int)$id);
 
         $row = Db::getInstance()->getValue($sql);
         return $row ?? '';
@@ -123,10 +123,10 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('ept_mac');
         $sql->from('monetico_ept');
-        $sql->where('ept_number = "' . $ept_number . '"');
+        $sql->where('ept_number = "' . pSQL($ept_number) . '"');
 
         if (isset($id)) {
-            $sql->where('id_ept != ' . $id);
+            $sql->where('id_ept != ' . (int)$id);
         }
 
         $row = Db::getInstance()->getValue($sql);

@@ -144,7 +144,7 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('*');
         $sql->from('monetico_code_site');
-        $sql->where('code_site_name = "' . $code_societe_name . '"');
+        $sql->where('code_site_name = "' . pSQL($code_societe_name) . '"');
 
         return Db::getInstance()->getRow($sql);
     }
@@ -159,7 +159,7 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('*');
         $sql->from('monetico_ept');
-        $sql->where('ept_number = "' . $ept_number . '"');
+        $sql->where('ept_number = "' . pSQL($ept_number) . '"');
 
         return Db::getInstance()->getRow($sql);
     }
@@ -222,8 +222,8 @@ class MoneticoPaiementHelper
                 $sql = new \DbQuery();
                 $sql->select('code_site_id');
                 $sql->from('monetico_code_site_opts');
-                $sql->where(' `opt` = "' . $filter_key . '"');
-                $sql->where('`value` = "' . $filter_value . '"');
+                $sql->where(' `opt` = "' . pSQL($filter_key) . '"');
+                $sql->where('`value` = "' . pSQL($filter_value) . '"');
 
                 $options = Db::getInstance()->executeS($sql);
                 $filter_ids = [];
@@ -263,7 +263,7 @@ class MoneticoPaiementHelper
             $sql = new \DbQuery();
             $sql->select('*');
             $sql->from('monetico_code_site');
-            $sql->where('id_code_site IN (' . $code_site_where_in . ')');
+            $sql->where('id_code_site IN (' . pSQL($code_site_where_in) . ')');
             $sql->where('code_site_active = 1');
             $result = Db::getInstance()->executeS($sql);
             foreach ($result as $code_site) {

@@ -288,8 +288,8 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('count(*)');
         $sql->from('monetico_code_site_opts');
-        $sql->where('`code_site_id` = "' . $code_site_id . '"');
-        $sql->where(' `opt` = "' . $filter_key . '"');
+        $sql->where('`code_site_id` = "' . pSQL($code_site_id) . '"');
+        $sql->where(' `opt` = "' . pSQL($filter_key) . '"');
 
         return (int)Db::getInstance()->getValue($sql);
     }
@@ -308,9 +308,9 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('count(*)');
         $sql->from('monetico_code_site_opts');
-        $sql->where('`code_site_id` = "' . $code_site_id . '"');
-        $sql->where(' `opt` = "' . $filter_key . '"');
-        $sql->where(' `value` = "' . $fitler_value . '"');
+        $sql->where('`code_site_id` = "' . (int)$code_site_id . '"');
+        $sql->where(' `opt` = "' . pSQL($filter_key) . '"');
+        $sql->where(' `value` = "' . pSQL($fitler_value) . '"');
 
         return (int)Db::getInstance()->getValue($sql);
     }
@@ -386,7 +412,7 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('*');
         $sql->from('monetico_transaction');
-        $sql->where(' `order_ref` = "' . $order_ref . '"');
+        $sql->where(' `order_ref` = "' . pSQL($order_ref) . '"');
         return Db::getInstance()->getRow($sql);
     }
 
@@ -472,7 +498,7 @@ class MoneticoPaiementHelper
         $sql = new \DbQuery();
         $sql->select('id');
         $sql->from('monetico_alias_bc');
-        $sql->where(' `alias` = "' . $alias . '"');
+        $sql->where(' `alias` = "' . pSQL($alias) . '"');
         $row = Db::getInstance()->getValue($sql);
         return $row ?? '';
     }

Other recommendations

• It’s highly recommended to upgrade the module to the latest version or to delete the module if unused.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Download page of Monetico module
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-6648
• Published at: 2025-05-08
• Advisory source: Incibe cert
• Platform: PrestaShop
• Product: Ap Page Builder
• Impacted release: < 4.0.0
• Product author: Apollo Theme
• Weakness: CWE-36
• Severity: high (8.7)

Description

Absolute Path Traversal vulnerability in AP Page Builder versions prior to 4.0.0 could allow an unauthenticated remote user to modify the ‘product_item_path’ within the ‘config’ JSON file, allowing them to read any file on the system.

WARNING : This exploit uses a Base64 payload, which may bypass most WAFs.

Be aware that it’s possible to obfuscate a Base64 string using special characters to evade detection - the base64_decode() function in PHP will silently strip them out.

For example, the following is a perfectly valid Base64 input for base64_decode: Li4$vLi4-vY#XBwL–2NvbmZpZy9wYXJhb-WV0Z$XJzLnB$ocA==

If you’re using ModSecurity 2, prefer base64DecodeExt over base64Decode to mitigate this technique.

CVSS base metrics

• Attack Vector (AV): Network
• Attack Complexity (AC): Low
• Attack Requirements (AT): None
• Privileges Required (PR): None
• User Interaction (UI): None
• Confidentiality (VC): High
• Integrity (VI): None
• Availability (VA): None

Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Proof of concept

POC has been published by n0d0n : https://github.com/n0d0n/CVE-2024-6648/blob/main/CVE-2024-6648.yaml

curl -v "https://preprod.X/modules/appagebuilder/apajax.php?config=eyJvcmRlcl9ieSI6ImlkX3Byb2R1Y3QiLCJuYl9wcm9kdWN0cyI6IjIiLCJ0b3RhbF9wYWdlIjoxLCAicHJvZHVjdF9pdGVtX3BhdGgiOiAiY29uZmlnLnhtbCIsICJjb2x1bW5zIjogMX0%3d&p=1"

Patch

See this : Help Center - PrestaShop

Timeline

Links

• Incibe cert advisory
• Prestashop advisory
• Theme page
• Public POC

Summary

• CVE ID: CVE-2025-24027
• Published at: 2025-01-22
• Advisory source: PrestaShop
• Platform: PrestaShop
• Product: PrestaShop
• Impacted release: <= 3.3.2, 3.3.3 patched the issue
• Product author: PrestaShop
• Weakness: CWE-79
• Severity: low (4.1)

Description

The ps_contactinfo module for PrestaShop, used to display store contact information, contains a cross-site scripting (XSS) weakness in versions up to and including 3.3.2.

This weakness could lead to a chained vulnerability if and only if the store uses a third-party module vulnerable to SQL injection, as ps_contactinfo might execute stored XSS when rendering formatted objects.

The issue is addressed in commit d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39, which prevents formatted addresses from executing stored XSS present in the database. The fix will be included in version 3.3.3 of the module.

No workarounds are currently available, other than applying the fix and ensuring that all modules are properly maintained and up to date.

CVSS base metrics

• Attack vector: network
• Attack complexity: none
• Privilege required: high
• User interaction: none
• Scope: unchanged
• Confidentiality: low
• Integrity: low
• Availability: low

Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

Timeline

Links

• PrestaShop product repository
• Patch

Summary

• CVE ID: CVE-2024-41670
• Published at: 2024-07-25
• Advisory source: Github repository of Paypal module for PrestaShop
• Platform: PrestaShop
• Product: paypal
• Impacted release: <= 6.4.1 (6.4.2 fix the vulnerability) / <= 3.18.0 (3.18.1 fix the vulnerability)
• Product author: 202 ecommerce
• Weakness: CWE-358
• Severity: medium (6.5)

Description

Before to 6.4.1 or 3.18.1, a logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: low
• User interaction: none
• Scope: unchanged
• Confidentiality: low
• Integrity: high
• Availability: low

Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Possible malicious usage

• Confirm order with a fraudulent payment support

Other recommendations

• Upgrade PayPal up to 6.4.2 or 3.18.1 according to your PrestaShop version.
• Enable webhooks and check they are callable

Timeline

Links

• PrestaShop addons product page
• Github repository of Paypal module for PrestaShop
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-34988
• Published at: 2024-06-20
• Platform: PrestaShop
• Product: askforaquotemodul
• Impacted release: <= 1.0.51 (1.0.52 fixed the vulnerability - see WARNING below)
• Product author: Buy Addons
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Methods AskforaquotemodulcustomernewquoteModuleFrontController::run(), AskforaquotemoduladdproductnewquoteModuleFrontController::run(), AskforaquotemodulCouponcodeModuleFrontController::run(), AskforaquotemodulgetshippingcostModuleFrontController::run(), AskforaquotemodulgetstateModuleFrontController::run() has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

WARNING : this version still has sensitives vulnerabilities such as IDOR.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Other recommendations

• It’s recommended to upgrade to the latest version of the module askforaquotemodul.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-34991
• Published at: 2024-06-20
• Platform: PrestaShop
• Product: axepta
• Impacted release: <= 1.3.3 (1.3.4 fixed the vulnerability)
• Product author: Quadra Informatique
• Weakness: CWE-359
• Severity: high (7.5), GDPR violation

Description

Due to a lack of permission control, a guest can access debug log from the module which can lead to leak of personal information such as partial credit card information (expiry date), postal address, email, etc which are encoded in base64.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Steal personal data

Timeline

Other recommendations

• It’s recommended to upgrade to the latest version of the module axepta.
• You should restrict access to this URI pattern : modules/axepta/log/ to a given whitelist

Links

• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-34992
• Published at: 2024-06-20
• Platform: PrestaShop
• Product: helpdesk
• Impacted release: < 2.4.0 (2.4.0 fixed the vulnerability)
• Product author: FME Modules
• Weakness: CWE-89
• Severity: high (8.8)

Description

The method Tickets::getsearchedtickets() has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: low
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Other recommendations

• It’s recommended to upgrade to the latest version of the module helpdesk.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2023-50029
• Published at: 2024-06-20
• Platform: PrestaShop
• Product: m4pdf
• Impacted release: <= 3.3.1 (3.3.2 fixed the vulnerability - see WARNING below)
• Product author: PrestaAddons
• Weakness: CWE-94
• Severity: critical (10)

Description

The method M4PDF::saveTemplate() has sensitive action that can be executed with a trivial http call and exploited to forge a Code injection.

Note : A useless predictable token protect these methods.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

WARNING : The module still own sensitive to critical issues because author refuse to update its logical authentication flaw, you should consider to delete it or put its front controller under IP restriction, if you do so, you must be aware of this.

Edit 2024-09-10 - WARNING : This exploit is actively used to deploy webskimmer to massively steal credit cards. Since POC is now exploited, it is considered public.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Proof of concept

curl -v -X POST -d 'fc=module&module=m4pdf&controller=pdf&nav=1&action=save&action_target=test.php&template=test&m4token=PREDICTABLE_TOKEN&editor_content=<?= 42;' 'https://preprod.X/' && curl -v 'https://preprod.X/modules/m4pdf/tpl/test.php'

Other recommendations

• It’s recommended to delete the module m4pdf since author refuse to review its authentication design based on predictable token
• Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-36681
• Published at: 2024-06-20
• Platform: PrestaShop
• Product: pk_isotope
• Impacted release: <= 1.7.3 (see WARNING 2 below)
• Product author: Promokit.eu
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Methods pk_isotope::saveData and pk_isotope::removeData have sensitives SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING 1 : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

WARNING 2 : Versions declared as impacted are versions where we confirmed critical issue. Author don’t know which exacts versions are impacted, he only said us that it was a long time ago. Author refuse to provide the last version to let us check that all is fixed. So you should consider that all versions can be impacted.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Proof of concept

curl -v "https://preprod.X/modules/pk_isotope/ajax.php?pID=1);select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--

Other recommendations

• It’s recommended to upgrade to the latest version of the module pk_isotope.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• Theme forest author page
• Theme forest product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-36682
• Published at: 2024-06-20
• Platform: PrestaShop
• Product: pk_themesettings
• Impacted release: <= 1.8.8 (see WARNING below)
• Product author: Promokit.eu
• Weakness: CWE-359
• Severity: high (7.5), GDPR violation

Description

Due to a lack of permission control, a guest can access the txt file which collect emails when maintenance is enable which can lead to leak of personal information.

WARNING : Versions declared as impacted are versions where we confirmed critical issue. Author don’t know which exacts versions are impacted, he only said us that it was a long time ago. Author refuse to provide the last version to let us check that all is fixed. So you should consider that all versions can be impacted.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Steal personal data

Timeline

Links

• Author product page
• Theme forest author page
• Theme forest product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-34989
• Published at: 2024-06-20
• Advisory source: Friends-Of-Presta.org
• Platform: PrestaShop
• Product: prestapdf
• Impacted release: <= 3.9.0 (see WARNING below)
• Product author: RSI
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method PrestaPDFProductListModuleFrontController::queryDb() has multiple sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

Parameters id_product, langs, skipcat are sensitives parameter.

WARNING : Author refuse to patch the vulnerability so you should consider to uninstall it. There is strong design issue which cannot be fixed by a hotfix. Version tagged as impacted is the only version we had time to produce a POC for it, author has updated things in newer versions but its token is still predictible. So you should consider that all versions are impacted.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Complete takeover

Other recommendations

• It’s recommended to delete this module.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-36683
• Published at: 2024-06-20
• Platform: PrestaShop
• Product: productsalert
• Impacted release: < 1.7.4 (1.7.4 fixed the vulnerability)
• Product author: Smart Modules
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method ProductsAlertAjaxProcessModuleFrontController::initContent has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Other recommendations

• It’s recommended to upgrade to the latest version of the module productsalert.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-34993
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: bagoogleshopping
• Impacted release: < 1.0.26 (1.0.26 fixed the vulnerability)
• Product author: Buy Addons
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method GenerateCategories::renderCategories() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Other recommendations

• It’s recommended to upgrade to the latest version of the module bagoogleshopping.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-34994
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: channable
• Impacted release: < 3.2.1 (3.2.1 fixed the vulnerability - see WARNING below)
• Product author: Channable
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Due to a broken access control based on predictable token, the method ChannableFeedModuleFrontController::postProcess() has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

WARNING : You MUST update the webservice key since it is predictable.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Other recommendations

• It’s recommended to upgrade to the latest version of the module channable.
• You MUST update the key for your webservice since it is predictable.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-34990
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: helpdesk
• Impacted release: < 2.4.0 (2.4.0 fixed the vulnerability)
• Product author: FME Modules
• Weakness: CWE-434
• Severity: critical (9.9)

Description

Methods HelpdeskHelpdeskModuleFrontController::submitTicket() and HelpdeskHelpdeskModuleFrontController::replyTicket() allow upload of .php files on a predictable path for connected customers, it will lead to a critical vulnerability CWE-94.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: low
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Steal data

Proof of concept

1. Connect as customer
2. Go to the customer ticket’s dashboard
3. Submit a ticket or Reply to an existing one, with a .php file in attachment

Other recommendations

• It’s recommended to upgrade to the latest version of the module helpdesk.
• Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33836
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: jamarketplace
• Impacted release: <= 9.0.1 (9.0.2 fixed the vulnerability)
• Product author: JA Module
• Weakness: CWE-434
• Severity: critical (10)

Description

In version 6.X, the method JmarketplaceproductModuleFrontController::init() and in version 8.X, the method JmarketplaceSellerproductModuleFrontController::init() allow upload of .php files, which will lead to a critical vulnerability CWE-94.

This exploit is actively exploited in the wild

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Steal data

Other recommendations

• It’s recommended to upgrade to the latest version of the module jamarketplace.
• Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-36679
• Published at: 2024-06-18
• Advisory source: Friends-Of-Presta.org
• Platform: PrestaShop
• Product: livechatpro
• Impacted release: <= 8.4.0 (see WARNING below)
• Product author: ProQuality
• Weakness: CWE-94
• Severity: critical (10.0)

Description

Due to a predictable token, the method Lcp::saveTranslations() suffer of a white writer that can inject PHP code into a PHP file which will lead to critical RCE.

WARNING : Author refuse to patch the vulnerability so you should consider to uninstall it. There is strong design issue which cannot be fixed by a hotfix. Version tagged as impacted is the only version we had time to produce a POC for it, author has updated things in newer versions but its token is still predictable. So you should consider that all versions are impacted.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Complete takeover

Other recommendations

• It’s recommended to delete this module.
• Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-36677
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: loginascustomerpro
• Impacted release: < 1.2.7 (1.2.7 fixed the vulnerability)
• Product author: Weblir
• Weakness: CWE-359
• Severity: high (7.5), GDPR violation

Description

Foreword : we are forced to tag privilege NONE on the CVSS 3.1 score which make it a high vulnerability since it will be high if the module has never been installed OR (if the LOGINASCUSTOMERPRO_TOKEN configuration do not exist OR is empty), but keep in mind that for the majority of installations, the gravity is low

The script PHP ajax.php allow to exfiltrate links to connect to all customer’s accounts.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Steal personal data

Other recommendations

• It’s recommended to upgrade to the latest version of the module loginascustomerpro.
• You should restrict access to this URI pattern : modules/loginascustomerpro/ajax.php to a given whitelist

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-36684
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: pk_customlinks
• Impacted release: <= 2.3 (see WARNING below)
• Product author: Promokit.eu
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : Versions declared as impacted are versions where we confirmed critical issue. Author don’t know which exacts versions are impacted, he only said us that it was a long time ago. Author refuse to provide the last version to let us check that all is fixed. So you should consider that all versions can be impacted.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Other recommendations

• It’s recommended to upgrade to the latest version of the module pk_customlinks.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• Theme forest author page
• Theme forest product page
• National Vulnerability Database

WARNING : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

Summary

• CVE ID: CVE-2024-36678
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: pk_themesettings
• Impacted release: <= 1.8.8 (see WARNING below)
• Product author: Promokit.eu
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : Versions declared as impacted are versions where we confirmed critical issue. Author don’t know which exacts versions are impacted, he only said us that it was a long time ago. Author refuse to provide the last version to let us check that all is fixed. So you should consider that all versions can be impacted.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Proof of concept

curl -v 'https://preprod.X/modules/pk_themesettings/ajax.php?id=1&customer=1&lang_id=1;select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--'

Other recommendations

• It’s recommended to upgrade to the latest version of the module pk_themesettings.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• Theme forest author page
• Theme forest product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-36680
• Published at: 2024-06-18
• Platform: PrestaShop
• Product: pkfacebook
• Impacted release: <= 1.0.1 (see WARNING 2 below)
• Product author: Promokit.eu
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The ajax script facebookConnect.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING 1 : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

WARNING 2 : Versions declared as impacted are versions where we confirmed critical issue. Author don’t know which exacts versions are impacted, he only said us that it was a long time ago. Author refuse to provide the last version to let us check that all is fixed. So you should consider that all versions can be impacted.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Proof of concept

curl -v "https://preprod.X/modules/pkfacebook/ajax/facebookConnect.php?id=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--&email=test@test.fr

Other recommendations

• It’s recommended to upgrade to the latest version of the module pkfacebook.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33274
• Published at: 2024-04-29
• Platform: PrestaShop
• Product: customfields
• Impacted release: <= 2.2.7 (2.2.8 fixed the vulnerability)
• Product author: FME Modules
• Weakness: CWE-22
• Severity: high (7.5)

Description

Due to predictable token and a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system.

Note : We are forced to tag it as a high gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

WARNING : This exploit use a base64 payload so it will bypass some WAF. Be informed too that it could be used with a dangerous chain attack based on phar wrapper implicit deserialization (see recommendations below)

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

WARNING : Be warned that the last version could still be exploited to exfiltrate files whose path does not contain “php”.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Stealing secrets to unlock admin controllers based on ajax script
• Exfiltrate all modules with all versions to facilitate pentesting
• Stealing table_prefix to greatly facilitate SQL injections for kiddies who don’t know how to exploit DBMS design’s vulnerabilities or steal database access to login in exposed PHPMyAdmin / Adminer / etc.
• Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictable paths of banks’s modules inside /var/log/)

Other recommendations

• It’s recommended to upgrade to the latest version of the module customfields.
• NEVER expose a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
• Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your PrestaShop
• Activate OWASP 933’s rules against wrapper (including phar wrapper) OWASP rules to filter “phar://”

Timeline

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33270
• Published at: 2024-04-29
• Platform: PrestaShop
• Product: fileuploads
• Impacted release: <= 2.0.3 (2.0.4 fixed the vulnerability)
• Product author: FME Modules
• Weakness: CWE-359
• Severity: high (7.5), GDPR violation

Description

Due to a lack of permissions control, a guest can download all files uploaded by customers which could be national identity card / contents under NDA, etc.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Steal personal data

Timeline

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33267
• Published at: 2024-04-29
• Platform: PrestaShop
• Product: hfheropayment
• Impacted release: <= 1.2.5 (1.2.6 fixed the vulnerability)
• Product author: Hero
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method HfHeropaymentGatewayBackModuleFrontController::initContent() has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : This exploit use a base64 payload so it will bypass some WAF.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.2.5

--- 1.2.5/modules/hfheropayment/controllers/front/gatewayback.php
+++ XXXXX/modules/hfheropayment/controllers/front/gatewayback.php
            $id = Db::getInstance()->getValue(
                "SELECT hf_payment_id FROM `" . _DB_PREFIX_ . "cart_hf_heropayment`
-                    WHERE id='" . $insertId . "'"
+                    WHERE id='" . (int) $insertId . "'"
            );

Other recommendations

• It’s recommended to delete this module hfheropayment.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Authro Product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2023-45385
• Published at: 2024-04-29
• Platform: PrestaShop
• Product: pqprintshippinglabels
• Impacted release: < 4.15.0 (4.15.0 fixed the vulnerability)
• Product author: ProQuality
• Weakness: CWE-22
• Severity: high (7.5)

Description

Due to a lack of permissions control and a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system.

WARNING : We are forced to tag it as a medium gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this : https://github.com/PrestaShop/PrestaShop/blob/6c05518b807d014ee8edb811041e3de232520c28/classes/Tools.php#L1247.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Stealing secrets to unlock admin controllers based on ajax script
• Exfiltrate all modules with all versions to facilitate pentesting
• Stealing table_prefix to greatly facilitate SQL injections for kiddies who don’t know how to exploit DBMS design’s vulnerabilities or steal database access to login in exposed PHPMyAdmin/Adminer/etc.
• Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictable paths of banks’s modules inside /var/log/)

Patch from 4.12.0

--- 4.12.0/modules/pqprintshippinglabels/pdfs/shipping-labels.php
+++ XXXXXX/modules/pqprintshippinglabels/pdfs/shipping-labels.php

-$filename = $_REQUEST['filename'];
+$filename = basename($_REQUEST['filename']);

Be warned this fix is perfectible. See recommendations below.

Other recommendations

• You should consider restricting the access of modules/pqprintshippinglabels/pdfs/ to a whitelist or delete the module
• NEVER expose a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
• Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your PrestaShop

Timeline

Links

• Author download page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33273
• Published at: 2024-04-29
• Platform: PrestaShop
• Product: shipup
• Impacted release: < 3.3.0 (3.3.0 fixed the vulnerability)
• Product author: ShipUp
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The function getShopId has sensitive a SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

Be informed that it only concerns Shops which never own more than one store.

Note : We marked that 3.3.0 fixed the vulnerability because it fixes the critical one, but you should apply the 3.5.0 which fix another high vulnerability with a CVSS score 3.1 of 7.1/10.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 3.1.0

--- 3.1.0/modules/shipup/v1/index.php
+++ 3.5.0/modules/shipup/v1/index.php
...
@@ -30,14 +30,14 @@ function getShopId()
         if (!isset($_GET['shop_id'])) {
             render(403, 'Multi store present but no store_id provided');
         } else {
-            $query = $query." WHERE `id_shop` = '".$_GET['shop_id']."'";
+            $query = $query." WHERE `id_shop` = '". (int) $_GET['shop_id']."'";
         }
     }
     $shop_id = (int)($db->getValue($query));

     if ($shop_id == '') {
         if (isset($_GET['shop_id'])) {
-            $msg = "Store shop_id ".$_GET['shop_id']." not found";
+            $msg = "Store shop_id ".(int) $_GET['shop_id']." not found";
         } else {
             $msg = 'Store not found';
         }
@@ -211,7 +211,7 @@ function select_limit_10($table, $param,
     $where_clause = "";
     if (isset($_GET[$param])) {
         if (isset($_GET['exact'])) {
-            $where_clause = "WHERE `".$param."` = ".$db->escape($_GET[$param]);
+            $where_clause = "WHERE `".$param."` = ".(int) $_GET[$param];
         } else {
             $where_clause = "WHERE `".$param."` LIKE '%".$db->escape($_GET[$param])."%'";
         }
...

Other recommendations

• It’s recommended to upgrade to the latest version of the module shipup.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33275
• Published at: 2024-04-29
• Platform: PrestaShop
• Product: supernewsletter
• Impacted release: <= 1.4.21 (DANGER : all versions and author discontinue support)
• Product author: Webbax
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The script product_search.php has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : This module is obsolete and must be deleted since author discontinue support.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.4.21

--- 1.4.21/modules/supernewsletter/ajax/product_search.php
+++ XXXXXX/modules/supernewsletter/ajax/product_search.php
-       ps.`id_shop` = '.pSQL($id_shop).' AND
-       pl.`id_shop` = '.pSQL($id_shop).' AND
-       pl.`id_lang` = '.pSQL($id_lang).'
+       ps.`id_shop` = '.(int) $id_shop.' AND
+       pl.`id_shop` = '.(int) $id_shop.' AND
+       pl.`id_lang` = '.(int) $id_lang.'

Other recommendations

• It’s recommended to delete the module since support is discontinue.
• You should consider restricting the access of /modules/supernewsletter/ajax/ to a whitelist
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author page
• Author page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33272
• Published at: 2024-04-25
• Platform: PrestaShop
• Product: autosuggest
• Impacted release: < 2.0.0 (2.0.0 fixed the vulnerability)
• Product author: KnowBand
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Methods AutosuggestSearchModuleFrontController::initContent() and AutosuggestSearchModuleFrontController::getKbProducts() has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Proof of concept

curl -v -d 'fc=module&module=autosuggest&controller=search&keyword=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--&prod_id=1' 'https://preprod.X'

Other recommendations

• It’s recommended to upgrade to the latest version of the module autosuggest.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33266
• Published at: 2024-04-25
• Platform: PrestaShop
• Product: deliveryorderautoupdate
• Impacted release: <= 2.8.1 (2.8.2 fixed the vulnerability)
• Product author: Helloshop
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Ajax script ajax_email.php, all scripts in directory webservices/ and the method DeliveryorderautoupdateOrdersModuleFrontController::initContent() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : One of exploits (against ajax_email.php) is actively used to deploy a webskimmer to massively steal credit cards.

Note : the author has deleted from his module one of the files (ajax_email.php) which have been suffering from critical vulnerabilities for years, BUT did not set them to be “auto-deleted” during upgrades. Therefore, there are likely merchants out there with older versions who have updated their modules, thinking they are safe. However, there is nothing safe about that, since past upgrades did not auto-delete the implicated files. To ensure everyone has a “safe version”, we decided to mark all versions up to 2.8.1 as impacted by this issue.

DANGER : Patch provided are partial - since there is more than 100 critical issues inside the directory webservices/, we do not provide patch - put the directory under IP restriction without delay or upgrade the module.

One of exploits uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Proof of concept

PUBLIC POC - seen on 2.2.2- (and potentially newer since author did not auto deleted file)

curl -v 'https://preprod.X/modules/deliveryorderautoupdate/ajax_email.php?lang=1;select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--'

Patch from 2.2.2

This one can impact newer version than 2.2.2, see Note above.

--- 2.2.2/modules/deliveryorderautoupdate/ajax_email.php
+++ XXXXX/modules/deliveryorderautoupdate/ajax_email.php
...
    $lang = Db::getInstance()->getRow(
-       'SELECT iso_code FROM '._DB_PREFIX_.'lang WHERE id_lang='.Tools::getValue('lang')
+       'SELECT iso_code FROM '._DB_PREFIX_.'lang WHERE id_lang='.(int) Tools::getValue('lang')

Patch from 2.8.1

--- 2.8.1/modules/deliveryorderautoupdate/controllers/front/orders.php
+++ XXXXX/modules/deliveryorderautoupdate/controllers/front/orders.php
...
        if (Tools::isSubmit('id_email')) {
-           $id_email =  Tools::getValue('id_email');
+           $id_email =  (int) Tools::getValue('id_email');
            $order = Order::getByReference($id)->getFirst();
            if ($order) {
                $id_order = $order->id;
                Db::getInstance()->update('hl_tracking_email', array(
                    'email_status' => 3,
-               ), "id = {$id_email} AND id_order = {$id_order}");
+               ), "id = ". $id_email . " AND id_order = " . (int) $id_order);
            }
        }

Other recommendations

• It’s recommended to upgrade to the latest version of the module deliveryorderautoupdate.
• You should restrict access to modules/deliveryorderautoupdate/webservices/ to a given whitelist
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33271
• Published at: 2024-04-25
• Platform: PrestaShop
• Product: eventsmanager
• Impacted release: <= 4.3.0 (4.4.0 fixed the vulnerability)
• Product author: FME Modules
• Weakness: CWE-359
• Severity: high (7.5), GDPR violation

Description

Due to a lack of permissions control, a guest can download data from ps_customer such as : name / surname / email

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Steal personal data

Other recommendations

• It’s recommended to upgrade to the latest version of the module eventsmanager.

Timeline

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33269
• Published at: 2024-04-25
• Platform: PrestaShop
• Product: flashsales
• Impacted release: <= 1.9.7 (1.9.8 fixed the vulnerability)
• Product author: Prestaddons
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Due to a predictable hardcoded token, the method FsModel::getFlashSales() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

Be warned that this module still suffer of a predictable token that you should update on each installation.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.9.7

--- 1.9.7/modules/flashsales/fsmodel.class.php
+++ 1.9.8/modules/flashsales/fsmodel.class.php
...
        if ($order_by != '') {
            if (empty($order_by) || $order_by == 'position') {
                $order_by = 'date_add';
            }
+           if (!Validate::isOrderBy($order_by) || !Validate::isOrderWay($order_way)) { die(Tools::displayError());}
            if ($order_by == 'asc' || $order_by == 'desc') {
                $sql .= ' ORDER BY '._DB_PREFIX_.'product_lang.'.$order_by.' '.$order_way;
            } else 
                $sql .= ' ORDER BY '.$order_by.' '.$order_way;
            }
        }

Other recommendations

• It’s recommended to upgrade to the latest version of the module flashsales.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33268
• Published at: 2024-04-25
• Platform: PrestaShop
• Product: mdgiftproduct
• Impacted release: < 1.4.1 (1.4.1 fixed the vulnerability)
• Product author: Digincube
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method MdGiftRule::addGiftToCart() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.3.9

--- 1.3.9/modules/mdgiftproduct/classes/models/MdGiftRule.php
+++ XXXXX/modules/mdgiftproduct/classes/models/MdGiftRule.php
        $insert_product_discount = [];
        if (!empty($products)) {
            foreach ($products as $productItem) {
-               $productItemAttribut = isset($productItem['id_product_attribute']) ? $productItem['id_product_attribute'] : 0;
+               $productItemAttribut = isset($productItem['id_product_attribute']) ? (int) $productItem['id_product_attribute'] : 0;
                if ($auto) {
                    $productItem['qty'] = $nb_product == 1 ? (int)$this->nb_product_gift : 1;
                }
                $productItem_qty = isset($productItem['qty']) ? (int)$productItem['qty'] : 1;

                $cart->updateQty($productItem_qty, $productItem['id_product'], $productItemAttribut, false, 'up');
                $hashData = uniqid().$this->id .'_'. $cart->id . '_' . $productItem['id_product']. '_' . $productItemAttribut;
                $values_hash = md5($hashData);
                //$insert_product_discount[] = '('.(int)$cart->id.','.(int)$this->id.','.(int)$productItem['id_product'].','.$productItemAttribut.','.($nb_product == 1 ? (int)$this->nb_product_gift : 1).', "'.$values_hash.'" )';

                $insert_product_discount[] = '('.(int)$cart->id.','.(int)$this->id.','.(int)$productItem['id_product'].','.$productItemAttribut.','.$productItem_qty.', "'.$values_hash.'" )';
            }
        }

Other recommendations

• It’s recommended to upgrade to the latest version of the module mdgiftproduct.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-33276
• Published at: 2024-04-25
• Platform: PrestaShop
• Product: preorderandnotification
• Impacted release: <= 3.1.0 (3.1.1 fixed the vulnerability)
• Product author: FME Modules
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method PreorderModel::getIdProductAttributesByIdAttributes() has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 3.1.0

--- 3.1.0/modules/preorderandnotification/models/PreorderModel.php
+++ 3.1.1/modules/preorderandnotification/models/PreorderModel.php
        INNER JOIN `' . _DB_PREFIX_ . 'product_attribute` pa ON pa.id_product_attribute = pac.id_product_attribute
-       WHERE id_product = ' . (int) $id_product . ' AND id_attribute IN (' . implode(',', $id_attributes) . ')
+       WHERE id_product = ' . (int) $id_product . ' AND id_attribute IN (' . implode(',', array_may('intval', $id_attributes)) . ')
        GROUP BY id_product_attribute
        HAVING COUNT(id_product) = ' . count($id_attributes));

Other recommendations

• It’s recommended to upgrade to the latest version of the module preorderandnotification.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28387
• Published at: 2024-03-19
• Platform: PrestaShop
• Product: axonaut
• Impacted release: <= 3.1.23 (3.2.0 fixed the vulnerability)
• Product author: Axonaut
• Weakness: CWE-359
• Severity: high (7.5), GDPR violation

Description

Due to a lack of permissions control, a guest can access log file from the module which can lead to leak of personal information from ps_customer/ps_address tables such as email / full postal address

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Steal personal data

Other recommendations

• It’s recommended to upgrade to the latest version of the module axonaut.
• You should restrict access to this URI pattern : modules/axonaut/ to a given whitelist

Timeline

Links

• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28386
• Published at: 2024-03-19
• Advisory source: Friends-of-presta.org
• Platform: PrestaShop
• Product: fastmagsync
• Impact release: <= 1.7.52 (1.7.53 fixed the vulnerability)
• Product author: Home-Made.io
• Weakness: CWE-78
• Severity: critical (10)

Description

The function getPhpBin() do not properly sanitize output, an attacker can inject into this sequence an arbitrary executable script.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Possible malicious usage

• Control and hijack a PrestaShop

Patch from 1.7.51

--- 1.7.51/modules/fastmagsync/crons/common.php
+++ XXXXXX/modules/fastmagsync/crons/common.php
...
        $get_version = explode('.', $hosting);
        if (count($get_version) > 1) {
            array_shift($get_version);
+           if(preg_match('/[\d]\.[\d]/i',implode('.', $get_version))){
-           $php_version = implode('.', $get_version);
+              $php_version = implode('.', $get_version);
+           }
        }
        $php_bin = '/usr/local/php' . $php_version . '/bin/php';

Other recommendations

• It’s recommended to upgrade to the latest version of the module fastmagsync.
• Activate OWASP 932’s and 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28393
• Published at: 2024-03-19
• Advisory source: Friends-Of-Presta.org
• Platform: PrestaShop
• Product: scalapay
• Impacted release: <= 1.2.41 (1.2.42 fixed the vulnerability)
• Product author: Scalapay
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method ScalapayReturnModuleFrontController::postProcess() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.2.41

--- 1.2.41/modules/scalapay/controllers/front/return.php
+++ 1.2.42/modules/scalapay/controllers/front/return.php
...
            if ((!isset($cart) or !$cart->id) && $cart_id_return != '') {
                // get customer id from cart table
-               $query_scalapay_get = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS("SELECT id_customer FROM " . _DB_PREFIX_ . "cart WHERE id_cart='" . $cart_id_return . "'");
+               $query_scalapay_get = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS("SELECT id_customer FROM " . _DB_PREFIX_ . "cart WHERE id_cart='" . pSQL($cart_id_return) . "'");

Other recommendations

• It’s recommended to upgrade to the latest version of the module scalapay.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28395
• Published at: 2024-03-14
• Platform: PrestaShop
• Product: bestkit_popup
• Impacted release: <= 1.7.2 (WARNING : all versions)
• Product author: Best-Kit
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method bestkit_popup::prepareHook() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop Hook stappled on all pages and most attackers can conceal the attack during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

WARNING : This module is no longer maintain so you should delete it.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.7.2

--- 1.7.2/modules/bestkit_popup/bestkit_popup.php
+++ XXXXX/modules/bestkit_popup/bestkit_popup.php
...
-       $current_url = Tools::strtolower($_SERVER['REQUEST_URI']);
+       $current_url = pSQL(Tools::strtolower($_SERVER['REQUEST_URI']));
        $join_custom_url = ' OR (pl.custom_url LIKE "'.$current_url.'" OR ';
...

Other recommendations

• It’s recommended to upgrade to the latest version of the module bestkit_popup.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28396
• Published at: 2024-03-14
• Platform: PrestaShop
• Product: ordersexport
• Impacted release: <= 6.0.2 (6.0.3 fixed the vulnerability)
• Product author: MyPrestaModules
• Weakness: CWE-200
• Severity: high (7.5), GDPR violation

Description

Due to a unprotected txt file and an unprotected download.php script, a guest can access sensitive information such as FTP credentials.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Data leaks

Other recommendations

• It’s recommended to upgrade to the latest version of the module ordersexport.
• You should restrict access to the folder modules/ordersexport/ to a given whitelist

Timeline

Links

• PrestaShop addons product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28392
• Published at: 2024-03-14
• Platform: PrestaShop
• Product: pscartabandonmentpro
• Impacted release: <= 2.0.11 (2.0.12 fixed the vulnerability)
• Product author: PrestaShop
• Weakness: CWE-89
• Severity: high (8.8)

Description

The method pscartabandonmentproFrontCAPUnsubscribeJobModuleFrontController::setEmailVisualized() has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: low
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 2.0.11

--- 2.0.11/modules/pscartabandonmentpro/controllers/front/FrontCAPUnsubscribeJob.php
+++ 2.0.12/modules/pscartabandonmentpro/controllers/front/FrontCAPUnsubscribeJob.php
-       $iCartId = Tools::getValue('id_cart');
-       $iReminderId = Tools::getValue('id_reminder');
+       $iCartId = (int) Tools::getValue('id_cart');
+       $iReminderId = (int) Tools::getValue('id_reminder');

Other recommendations

• It’s recommended to upgrade to the latest version of the module pscartabandonmentpro.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28394
• Published at: 2024-03-14
• Platform: PrestaShop
• Product: reportsstatistics
• Impacted release: <= 1.3.20 (1.3.30 fixed the critical issue - see WARNING below)
• Product author: Advanced Plugins
• Weakness: CWE-73
• Severity: critical (9.1)

Description

Due to a broken access control, a guest can delete all files of the PrestaShop including .htaccess to access protected folders to steal sensitives data.

WARNING : Be warned that the module still has sensitive issues that suffer a CVSS score 3.1 <= 7.2/10.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: none
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Possible malicious usage

• Download and delete all files from the Shop
• Disable critical security configuration (.htaccess)

Patch from 1.3.20

--- 1.3.20/module/reportsstatistics/export/export.php
+++ XXXXXX/module/reportsstatistics/export/export.php
...
-$file = urldecode(Tools::getValue('file'));
+$file = basename(urldecode(Tools::getValue('file')));

if(file_exists(dirname(__FILE__).'/'.$file))
{
	header('Content-type: application/vnd.ms-excel');
	header('Content-Disposition: attachment; filename='.$file);
	readfile(dirname(__FILE__).'/'.$file);
	unlink(dirname(__FILE__).'/'.$file);
	die();
}
...

--- 1.3.12/module/reportsstatistics/ajax_public.php
+++ XXXXXX/module/reportsstatistics/ajax_public.php
...
-			$current_value = Tools::jsonDecode(unserialize($context->cookie->apc_fields), true);
+			$current_value = Tools::jsonDecode(unserialize($context->cookie->apc_fields, ['allowed_classes' => false]), true); // Harmless until proven otherwise just for the principle.
...

Seen by a contributor in 1.3.20 :

--- 1.3.20/module/reportsstatistics/reportsstatistics.php
+++ XXXXXX/module/reportsstatistics/reportsstatistics.php
@@ -643 +643 @@ class reportsstatistics extends Module
-            $current_value = Tools::jsonDecode(unserialize($context->cookie->apc_fields), true);
+            $current_value = Tools::jsonDecode(unserialize($context->cookie->apc_fields, ['allowed_classes' => false]), true); // Harmless until proven otherwise just for the principle.
@@ -670 +670 @@ class reportsstatistics extends Module
-            $current_value = Tools::jsonDecode(unserialize($context->cookie->apc_fields), true);
+            $current_value = Tools::jsonDecode(unserialize($context->cookie->apc_fields, ['allowed_classes' => false]), true); // Harmless until proven otherwise just for the principle.

Other recommendations

• It’s recommended to upgrade to the latest version of the module reportsstatistics.
• NEVER expose a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
• Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your PrestaShop

Timeline

Links

• PrestaShop addons product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28391
• Published at: 2024-03-12
• Platform: PrestaShop
• Product: quickproducttable
• Impacted release: <= 1.2.1 (1.3.0 fixed the vulnerability)
• Product author: FME Modules
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Methods QuickProductTableFmmQuickModuleFrontController::readCsv(), QuickProductTableAjaxModuleFrontController::displayAjaxProductChangeAttr, QuickProductTableAjaxModuleFrontController::displayAjaxProductAddToCart, QuickProductTableAjaxModuleFrontController::getSearchProducts, QuickProductTableAjaxModuleFrontController::displayAjaxProductSku has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : One of exploits use a forged CSV so it will bypass most WAF.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.2.1

--- 1.2.1/modules/quickproducttable/controllers/front/ajax.php
+++ 1.3.0/modules/quickproducttable/controllers/front/ajax.php
@@ -51,7 +51,7 @@ class QuickProductTableAjaxModuleFrontCo
         SELECT pac.`id_product_attribute`
         FROM `' . _DB_PREFIX_ . 'product_attribute_combination` pac
         INNER JOIN `' . _DB_PREFIX_ . 'product_attribute` pa ON pa.id_product_attribute = pac.id_product_attribute
-        WHERE id_product = ' . (int) $id_product . ' AND id_attribute IN (' . implode(',', $id_attributes) . ')
+        WHERE id_product = ' . (int) $id_product . ' AND id_attribute IN (' . implode(',', array_map('intval', $id_attributes)) . ')
         GROUP BY id_product_attribute
         HAVING COUNT(id_product) = ' . count($id_attributes));
         $price = Product::getPriceStatic($id_product, true, $id_product_attribute);
@@ -91,7 +91,7 @@ class QuickProductTableAjaxModuleFrontCo
         SELECT pac.`id_product_attribute`
         FROM `' . _DB_PREFIX_ . 'product_attribute_combination` pac
         INNER JOIN `' . _DB_PREFIX_ . 'product_attribute` pa ON pa.id_product_attribute = pac.id_product_attribute
-        WHERE id_product = ' . (int) $id_product . ' AND id_attribute IN (' . implode(',', $id_attributes) . ')
+        WHERE id_product = ' . (int) $id_product . ' AND id_attribute IN (' . implode(',', array_map('intval', $id_attributes)) . ')
         GROUP BY id_product_attribute
         HAVING COUNT(id_product) = ' . count($id_attributes));

@@ -193,7 +193,7 @@ class QuickProductTableAjaxModuleFrontCo
                 LEFT JOIN `' . _DB_PREFIX_ .
                 'image_lang` il ON (image_shop.`id_image` = il.`id_image` AND il.`id_lang` = ' .
         (int) $context->language->id . ')
-                WHERE p.id_product NOT IN (' . $enable_pro . ') AND p.id_category_default IN (' . $category . ')
+                WHERE p.id_product NOT IN (' . $enable_pro . ') AND p.id_category_default IN (' . implode(',', array_map('intval', explode(',', $category))) . ')
                 AND (pl.name LIKE \'%' . pSQL($query) . '%\' OR p.reference LIKE \'%' . pSQL($query) . '%\')' .
             (!empty($excludeIds) ? ' AND p.id_product NOT IN (' . $excludeIds . ') ' : ' ') .
             ($excludeVirtuals ? 'AND NOT EXISTS (SELECT 1 FROM `' . _DB_PREFIX_ .
@@ -493,7 +493,7 @@ class QuickProductTableAjaxModuleFrontCo
             $sql = new DbQuery();
             $sql->select('id_product');
             $sql->from('product');
-            $sql->where('reference = "' . $reference . '"');
+            $sql->where('reference = "' . pSQL($reference) . '"');
             $id_product = Db::getInstance()->getValue($sql);

--- 1.2.1/modules/quickproducttable/controllers/front/fmmquick.php
+++ 1.3.0/modules/quickproducttable/controllers/front/fmmquick.php
@@ -985,7 +985,7 @@ class QuickProductTableFmmQuickModuleFro
                 $sql = new DbQuery();
                 $sql->select('id_product');
                 $sql->from('product');
-                $sql->where('reference = "' . $reference . '"');
+                $sql->where('reference = "' . pSQL($reference) . '"');
                 $id_product = Db::getInstance()->getValue($sql);
                 $qty = (int) $key[1];

Other recommendations

• It’s recommended to upgrade to the latest version of the module quickproducttable.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28389
• Published at: 2024-03-12
• Platform: PrestaShop
• Product: spinwheel
• Impacted release: <= 3.0.3 (3.0.4 fixed the vulnerability)
• Product author: KnowBand
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method SpinWheelFrameSpinWheelModuleFrontController::sendEmail() has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 3.0.3

--- 3.0.3/modules/spinwheel/controllers/front/framespinwheel.php
+++ 3.0.4/modules/spinwheel/controllers/front/framespinwheel.php
private static function transactionExists(string
...
-       $sql = 'select slice_type, coupon_value, coupon_type, gift_product from ' . _DB_PREFIX_ . 'wheel_slices where slice_no=' . pSQL($slice_no);
+       $sql = 'select slice_type, coupon_value, coupon_type, gift_product from ' . _DB_PREFIX_ . 'wheel_slices where slice_no=' . (int) $slice_no;
        $query = db::getInstance()->getRow($sql);

Other recommendations

• It’s recommended to upgrade to the latest version of the module spinwheel.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28388
• Published at: 2024-03-12
• Platform: PrestaShop
• Product: stproductcomments
• Impacted release: <= 1.0.5 (1.0.6 fixed the vulnerability)
• Product author: SunnyToo
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method StProductCommentClass::getListComments have sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.0.5

--- 1.0.5/modules/stproductcomments/classes/StProductCommentClass.php
+++ XXXXX/modules/stproductcomments/classes/StProductCommentClass.php
-       if (!$order_by) {
+       if (!Validate::isOrderBy($order_by)) {
            $order_by = 'pc.`featured`, `date_add`';
        }
       
-       if ($order_way) {
+       if (!Validate::isOrderWay($order_way)) {
           $order_way = 'DESC';
        }

Other recommendations

• It’s recommended to upgrade to the latest version of the module stproductcomments.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-28390
• Published at: 2024-03-12
• Platform: PrestaShop
• Product: ultimateimagetool
• Impacted release: < 2.2.01 (2.2.01 fixed the vulnerability)
• Product author: Advanced Plugins
• Weakness: CWE-284
• Severity: critical (9.1)

Description

Due to a predictable token, a guest can update all configurations of the PrestaShop.

Be warned that the author do not follow a compliant semver version.

Note : the author has deleted from his module the files that have been suffering from critical vulnerabilities for months, BUT did not set them to be “auto-deleted” during upgrades. Therefore, there are likely merchants out there with older versions who have updated their modules, thinking they are safe. However, there is nothing safe about that, since past upgrades did not auto-delete the implicated files. To ensure everyone has a “safe version”, we decided to mark all versions up to 2.2.01 as impacted by this issue.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: none
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Possible malicious usage

• Erase/update all configurations from the PrestaShop
• Disable critical security configuration

Other recommendations

• It’s recommended to upgrade to the latest version of the module ultimateimagetool.
• You should consider updating the configuration uit_token for something not predictable

Timeline

Links

• PrestaShop addons product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25845
• Published at: 2024-03-05
• Platform: PrestaShop
• Product: cdcustomfields4orders
• Impacted release: <= 1.0.0 (Author will never patch)
• Product author: Cleanpresta.com
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Ajax scripts ajax.php has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

Note : the author has discontinued support for its module, so you should consider uninstalling it. Be warned that it moved this critical issue to a front controller in 2.3.0 and put it under an unpredictable token, so the last version always has a high issue with a CVSS 3.1 score of 7.2/10

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.0.0

--- 1.0.0/modules/cdcustomfields4orders/ajax.php
+++ XXXXX/modules/cdcustomfields4orders/ajax.php
...
		if(is_array($value)) $value = implode(',',$value);
-		$sql = 'REPLACE INTO '._DB_PREFIX_.'cd_cfo_values (`id_cd_cfo`, `id_cart`, `value`) VALUES ('.$field[2].', '.$id_cart.', "'.$value.'")';
+		$sql = 'REPLACE INTO '._DB_PREFIX_.'cd_cfo_values (`id_cd_cfo`, `id_cart`, `value`) VALUES ('.(int) $field[2].', '.(int) $id_cart.', "'.pSQL($value).'")';

Other recommendations

• It’s recommended to upgrade to the latest version of the module cdcustomfields4orders.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25848
• Published at: 2024-03-05
• Platform: PrestaShop
• Product: everpsseo
• Impacted release: <= 7.13.4 for PrestaShop 1.6 (7.13.5 fix the vulnerability) & <= 8.1.2 for PrestaShop 1.7+ (8.1.3 fixed the vulnerability)
• Product author: Team Ever
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method EverPsSeo::hookHeader() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop Hook stappled on all pages and most attackers can conceal the attack during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 7.8.15

--- 7.8.15/modules/everpsseo/everpsseo.php
+++ XXXXXX/modules/everpsseo/everpsseo.php
...
                        FROM '._DB_PREFIX_.'meta
-                       WHERE page = "'.(string)$controller_name.'"'
+                       WHERE page = "'.pSQL($controller_name).'"'
                    );
...
                        FROM '._DB_PREFIX_.'meta
-                       WHERE page = "'.(string)$controller_name.'"'
+                       WHERE page = "'.pSQL($controller_name).'"'
                    );
...
                        FROM '._DB_PREFIX_.'meta
-                       WHERE page = "'.(string)$controller_name.'"'
+                       WHERE page = "'.pSQL($controller_name).'"'
                    );
...

Other recommendations

• It’s recommended to upgrade to the latest version of the module everpsseo.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Team Ever thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

Links

• PrestaShop addons product page
• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25849
• Published at: 2024-03-05
• Platform: PrestaShop
• Product: makeanoffer
• Impacted release: <= 1.7.1 (1.7.2 fixed the vulnerability)
• Product author: PrestaToolKit
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Methods MakeOffers::checkUserExistingOffer() and MakeOffers::addUserOffer() have sensitives SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.7.1

--- 1.7.1/modules/makeanoffer/model/MakeOffersModel.php
+++ 1.7.2/modules/makeanoffer/model/MakeOffersModel.php
	public function checkUserExistingOffer($id_product, $email, $cid)
	{
		$result = Db::getInstance()->executeS('
		SELECT `id_makeanoffer`
		FROM `'._DB_PREFIX_.'makeanoffer`
		WHERE `id_product` = '.(int)$id_product.'
-		AND id_combination = '.(int)$cid.' AND email = "'.$email.'"');
+		AND id_combination = '.(int)$cid.' AND email = "'.pSQL($email).'"');
		return count($result);
	}
	
	public function addUserOffer($id_product, $email, $cid, $name, $phone, $message, $amount, $customer_id, $real_price, $id_currency)
	{
		empty($message) ? $message = 'empty' : $message;
		empty($name) ? $name = 'no name' : $name;
		empty($phone) ? $phone = 'empty' : $phone;
		Db::getInstance()->execute('INSERT INTO '._DB_PREFIX_.'makeanoffer (id_product, email, id_combination, status, name, phone, message, amount_offer, customer_id, original_price, id_curr)
-			VALUES('.(int)$id_product.', "'.(string)$email.'", '.(int)$cid.', 0, "'.(string)$name.'", "'.(string)$phone.'", "'.(string)$message.'", "'.(string)$amount.'", '.(int)$customer_id.', "'.(string)$real_price.'", '.(int)$id_currency.')
+			VALUES('.(int)$id_product.', "'.pSQL($email).'", '.(int)$cid.', 0, "'.pSQL($name).'", "'.pSQL($phone).'", "'.pSQL($message).'", "'.pSQL($amount).'", '.(int)$customer_id.', "'.pSQL($real_price).'", '.(int)$id_currency.')
		');
		$last_id = (int)Db::getInstance()->Insert_ID();
		return $last_id;
	}

Other recommendations

• It’s recommended to upgrade to the latest version of the module makeanoffer.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25842
• Published at: 2024-02-29
• Platform: PrestaShop
• Product: prestasalesmanager
• Impacted release: <= 8.0.0 (9.0.0 fixed the vulnerability)
• Product author: Presta World
• Weakness: CWE-73
• Severity: critical (9.1)

Description

Methods PrestaSalesManagerChatboxModuleFrontController::uploadLogo() and PrestaSalesManagerMyAccountManagerTabModuleFrontController::postProcess has sensitive fopen call that can be executed with a trivial http call and exploited to delete all files of the system.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: none
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Possible malicious usage

• Delete all files from the Shop
• Disable critical security configuration (.htaccess) to access private zone

Patch from 8.0.0

--- 8.0.0/modules/prestasalesmanager/controllers/front/chatbox.php
+++ 9.0.0/modules/prestasalesmanager/controllers/front/chatbox.php
...
-           $idTicket = Tools::getValue('id_enquiry');
+           $idTicket = (int) Tools::getValue('id_enquiry');

--- 8.0.0/modules/prestasalesmanager/controllers/front/myaccountmanagertab.php
+++ 9.0.0/modules/prestasalesmanager/controllers/front/myaccountmanagertab.php
...
-           $idHelpDesk = Tools::getValue('id_helpDesk');
+           $idHelpDesk = (int) Tools::getValue('id_helpDesk');

Other recommendations

• It’s recommended to upgrade to the latest version of the module prestasalesmanager.
• Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your PrestaShop

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-24307
• Published at: 2024-02-29
• Platform: PrestaShop
• Product: productdesigner
• Impacted release: < 1.178.36 (1.178.36 fixed the vulnerability)
• Product author: Tunis Soft
• Weakness: CWE-22
• Severity: high (7.5)

Description

The method ProductDesignerUserUploadModuleFrontController::ajaxProcessCropImage() has sensitive action that can be executed with a trivial http call and exploited to forge a Path traversal attack.

Note : We are forced to tag it as a high gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Stealing secrets to unlock admin controllers based on ajax script
• Exfiltrate all modules with all versions to facilitate pentesting
• Stealing table_prefix to greatly facilitate SQL injections for kiddies who don’t know how to exploit DBMS design’s vulnerabilities or steal database access to login in exposed PHPMyAdmin / Adminer / etc.
• Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictable paths of banks’s modules inside /var/log/)

Other recommendations

• It’s recommended to upgrade to the latest version of the module productdesigner.
• NEVER expose a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
• Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your PrestaShop

Timeline

Tunis Soft thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-24302
• Published at: 2024-02-29
• Platform: PrestaShop
• Product: productdesigner
• Impacted release: < 1.178.36 (1.178.36 fixed the vulnerability)
• Product author: Tunis Soft
• Weakness: CWE-918
• Severity: critical (10)

Description

Prior to PHP 8.0, a deserialization of untrusted data exploiting phar wrapper, in the method ProductDesignerPixabayModuleFrontController::postProcess() can be used with a trivial http call and exploited to execute a remote code.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Steal/Remove data from the associated PrestaShop

Other recommendations

• It’s recommended to upgrade the module to its latest version
• Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Tunis Soft thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-26469
• Published at: 2024-02-29
• Platform: PrestaShop
• Product: productdesigner
• Impacted release: < 1.178.36 (1.178.36 fixed the vulnerability)
• Product author: Tunis Soft
• Weakness: CWE-918
• Severity: critical (9.1)

Description

In the Product Designer module from Tunis Soft for PrestaShop, an improper validation of url parameter in the method ProductDesignerPixabayModuleFrontController::postProcess can be executed via a trivial HTTP call to forge Server-Side Request.

This vulnerability can be exploited to initiate a HTTP request and get the return, for instance, use the vulnerable website as proxy to attack others websites, exfiltrate data in files under IP restriction or perform a path traversal attack.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Possible malicious usage

• Attack others websites via the vulnerability
• Bypass WAF/.htaccess restrictions
• Perform path traversal attack

Other recommendations

• It’s recommended to upgrade the module to its latest version
• Activate OWASP 930 and 931’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Tunis Soft thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25847
• Published at: 2024-02-29
• Platform: PrestaShop
• Product: simpleimportproduct
• Impacted release: <= 6.5.0 (6.7.1 ““fixed”” the vulnerability - See note below)
• Product author: MyPrestaModules
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Methods Send::__construct() and importProducts::_addDataToDb have sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

Note : The author has moved its exposed ajax script which suffers a critical issue, to the front controller under an unpredictable token. It’s no longer a critical vulnerability issue, but be warned that it remains a high vulnerability issue with a CVSS 3.1 score 7.2/10

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 6.5.0

--- 6.5.0/modules/simpleimportproduct/classes/send.php
+++ XXXXX/modules/simpleimportproduct/classes/send.php
            if (Tools::getValue('remove') == true) {
                $key = Tools::getValue('key');
                $key = pSQL($key);
-               Db::getInstance()->delete('simpleimport_tasks', "import_settings=$key");
+               Db::getInstance()->delete('simpleimport_tasks', "import_settings='".$key."'");

--- 6.5.0/modules/simpleimportproduct/classes/import.php
+++ XXXXX/modules/simpleimportproduct/classes/import.php
        if (Tools::getValue('id_task')) {
-           $data['id_task'] = Tools::getValue('id_task');
+           $data['id_task'] = (int) Tools::getValue('id_task');
        }
...
    if( Tools::getValue('id_task') ){
-     $data['id_task'] = Tools::getValue('id_task');
+     $data['id_task'] = (int) Tools::getValue('id_task');
    }

Other recommendations

• It’s recommended to upgrade to the latest version of the module simpleimportproduct.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25844
• Published at: 2024-02-29
• Platform: PrestaShop
• Product: soflexibilite
• Impacted release: <= 4.1.14 (4.1.26 fixed the vulnerability)
• Product author: Common-Services
• Weakness: CWE-359
• Severity: high (7.5), GDPR violation

Description

Due to a lack of permissions control, a guest can access the debug file (which has no extension so the payload will bypass most WAF) from the module that leaks the login / password of the web portal https://www.colissimo.entreprise.laposte.fr/, then export all customer data who used this carrier.

Note : there is no version between 4.1.14 and 4.1.26.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Steal personal data

Other recommendations

• It’s recommended to upgrade to the latest version of the module soflexibilite.

Timeline

TouchWeb thanks Bryan Bouchut for his help with the impact analysis on the web platform https://www.colissimo.entreprise.laposte.fr/

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25839
• Published at: 2024-02-29
• Platform: PrestaShop
• Product: supernewsletter
• Impacted release: <= 1.4.21 (DANGER : all versions and author discontinue support)
• Product author: Webbax
• Weakness: CWE-200
• Severity: high (7.5), GDPR violation

Description

Due to the use of a secret on the PrestaShop ecosystem, a guest can access hundreds of scripts on the PrestaShop ecosystem protected by this secret, including modules that permit the export of customer databases.

WARNING : This module is obsolete and must be deleted since the author has discontinued support.

Note : We are forced to tag it as high gravity due to the CWE type 200 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Access scripts including admin scripts protected by token

Patch from 1.4.21

--- 1.4.21/modules/supernewsletter/front_generate_newsletter.php
+++ XXXXXX/modules/supernewsletter/front_generate_newsletter.php
@@ -82,7 +82,7 @@ if($token==md5($id_supernewsletter_conte

     // tracking stats - open newsletter ?
     if($see_online!=1){
-        $html.='<img src="'.$Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&preview='.$preview.'&stats_type=open&token='._COOKIE_KEY_.'" style="height:1px;width:1px">';
+        $html.='<img src="'.$Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&preview='.$preview.'&stats_type=open&token='.Tools::encrypt('supernewsletter').'" style="height:1px;width:1px">';
     }

     // preview ?
@@ -114,7 +114,7 @@ if($token==md5($id_supernewsletter_conte
        </table>';
     }

-    $base_special_link = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=special_link&token='._COOKIE_KEY_;
+    $base_special_link = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=special_link&token='.Tools::encrypt('supernewsletter');

     // see online newsletter
     $url_newsletter = urlencode($Shop->getBaseURL().'modules/supernewsletter/front_generate_newsletter.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview=0&see_online=1&token='.md5($id_supernewsletter_content));
@@ -253,7 +253,7 @@ if($token==md5($id_supernewsletter_conte
                 $name = Tools::substr($name,0,$SupernewsletterTemplate->product_title_len).'...';
              }

-             $link_product = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_product='.$p['id_product'].'&id_product_attribute='.$p['id_product_attribute'].'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=product&token='._COOKIE_KEY_;
+             $link_product = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_product='.$p['id_product'].'&id_product_attribute='.$p['id_product_attribute'].'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=product&token='.Tools::encrypt('supernewsletter');
              $id_unique_random = uniqid();

              $css_td_first_product = '';
@@ -428,7 +428,7 @@ if($token==md5($id_supernewsletter_conte
     </td></tr></table>';

     // unsubscribe
-    $html .= '<table style="width:100%;background-color:'.$SupernewsletterTemplate->bg_newsletter.';padding-bottom:5px;"><tr><td style="text-align:center;'.$css_font_family.';"><a href="'.$base_special_link.'&link_type=unsubscribe&link_redirect='.urlencode($Shop->getBaseURL().'modules/supernewsletter/front_unsubscribe.php?id_supernewsletter_content='.$SupernewsletterContent->id.'&token='._COOKIE_KEY_).'" target="_blank" style="color:'.$SupernewsletterTemplate->col_links_hf.';font-size:'.$SupernewsletterTemplate->size_links_hf.'px">'.$Supernewsletter->l('Cliquez ici pour vous désinscrire',$filename).'</a><td></tr></table>';
+    $html .= '<table style="width:100%;background-color:'.$SupernewsletterTemplate->bg_newsletter.';padding-bottom:5px;"><tr><td style="text-align:center;'.$css_font_family.';"><a href="'.$base_special_link.'&link_type=unsubscribe&link_redirect='.urlencode($Shop->getBaseURL().'modules/supernewsletter/front_unsubscribe.php?id_supernewsletter_content='.$SupernewsletterContent->id.'&token='.Tools::encrypt('supernewsletter')).'" target="_blank" style="color:'.$SupernewsletterTemplate->col_links_hf.';font-size:'.$SupernewsletterTemplate->size_links_hf.'px">'.$Supernewsletter->l('Cliquez ici pour vous désinscrire',$filename).'</a><td></tr></table>';

 }else{
     $html.=$Supernewsletter->l('Hack : jeton incorrect',$filename);

--- 1.4.21/modules/supernewsletter/front_stats.php
+++ XXXXXX/modules/supernewsletter/front_stats.php
-if($token!==_COOKIE_KEY_){die('Error : bad token');}
+if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}

--- 1.4.21/modules/supernewsletter/front_unsubscribe.php
+++ XXXXXX/modules/supernewsletter/front_unsubscribe.php
-if($token!=_COOKIE_KEY_){die('Error : bad token');}
+if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}

--- 1.4.21/modules/supernewsletter/admin_cron.php
+++ XXXXXX/modules/supernewsletter/admin_cron.php
-    <img src="'.$this->_path.'views/img/script_link.png" /> <span class="label_url_cron">'.$this->l('URL CRON',$page_name).'</span> : <span class="url_cron">'.$Shop->getBaseURL().'modules/'.$this->name.'/front_cron_send.php?identifier=date&identifier_value=date&emails_pack=unlimited&id_shop='.$this->context->shop->id.'&token='._COOKIE_KEY_.'</span><br/>
+    <img src="'.$this->_path.'views/img/script_link.png" /> <span class="label_url_cron">'.$this->l('URL CRON',$page_name).'</span> : <span class="url_cron">'.$Shop->getBaseURL().'modules/'.$this->name.'/front_cron_send.php?identifier=date&identifier_value=date&emails_pack=unlimited&id_shop='.$this->context->shop->id.'&token='.Tools::encrypt('supernewsletter').'</span><br/>

--- 1.4.21/modules/supernewsletter/front_cron_send.php
+++ XXXXXX/modules/supernewsletter/front_cron_send.php
-     if(Tools::getValue('token')!=_COOKIE_KEY_){die('error : token');}
+     $token = Tools::getValue('token');
+     if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}

Other recommendations

• It’s recommended to delete the module since support is discontinued.
• You MUST update your secret COOKIE_KEY, be warned that this will invalidate all your customers passwords and most of your tokens

Timeline

Links

• Author page
• Author page
• National Vulnerability Database

Summary

• CVE ID: [CVE-2024-25843]
• Published at: 2024-02-27
• Platform: PrestaShop
• Product: ba_importer
• Impacted release: <= 1.1.28 (1.1.29 fixed the vulnerability)
• Product author: Buy Addons
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method ba_importerAjaxSettingModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

WARNING : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

Note : the author has deleted from his module the file which have been suffering from the critical vulnerability for years, BUT did not set them to be “auto-deleted” during upgrades. Therefore, there are likely merchants out there with older versions who have updated their modules, thinking they are safe. However, there is nothing safe about that, since past upgrades did not auto-delete the implicated files. To ensure everyone has a “safe version”, we decided to mark all versions up to 1.1.28 as impacted by this issue.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admin’s ajax scripts
• Rewrite SMTP settings to hijack emails

Proof of concept

curl -v 'https://preprod.X/?fc=module&module=ba_importer&controller=ajaxsetting&ajax=true&value_setting=1;select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--'

Patch

This one can impact newer version than 1.0.64, see Note above.

--- 1.0.64/modules/ba_importer/controllers/front/ajaxsetting.php
+++ XXXXXX/modules/ba_importer/controllers/front/ajaxsetting.php
            $select_import_settings = 'SELECT * FROM ' . _DB_PREFIX_ . 'ba_importer_config ';
-           $select_import_settings .= 'WHERE id_importer_config=' . $settingchoose . ' AND id_shop=' . $id_shop;
+           $select_import_settings .= 'WHERE id_importer_config=' . (int) $settingchoose . ' AND id_shop=' . (int) $id_shop;

--- 1.1.27/modules/ba_importer/autoimport.php
+++ 1.1.29/modules/ba_importer/autoimport.php
...
-$remote_ip = Tools::getRemoteAddr();
-if (!(int)Configuration::get('PS_SHOP_ENABLE')) {
-    if (!in_array($remote_ip, explode(',', Configuration::get('PS_MAINTENANCE_IP')))) {
-        if (!Configuration::get('PS_MAINTENANCE_IP')) {
-            Configuration::updateValue('PS_MAINTENANCE_IP', $remote_ip);
-        } else {
-            Configuration::updateValue('PS_MAINTENANCE_IP', Configuration::get('PS_MAINTENANCE_IP') . ',' . $remote_ip);
-        }
-    }
-}
...
-   $id_importer_config = Tools::getValue('id_importer_config');
+   $id_importer_config = implode(',', array_map('intval', explode(',',  Tools::getValue('id_importer_config'))));

Other recommendations

• It’s recommended to upgrade to the latest version of the module ba_importer.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25840
• Published at: 2024-02-27
• Platform: PrestaShop
• Product: prestasalesmanager
• Impacted release: <= 8.0.0 (9.0.0 fixed the vulnerability)
• Product author: Presta World
• Weakness: CWE-22
• Severity: high (7.5)

Description

The method PrestaSalesManagerChatboxModuleFrontController::postProcess() has sensitive action that can be executed with a trivial http call and exploited to forge a Path traversal attack.

Note : We are forced to tag it as a high gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Stealing secrets to unlock admin controllers based on ajax script
• Exfiltrate all modules with all versions to facilitate pentesting
• Stealing table_prefix to greatly facilitate SQL injections for kiddies who don’t know how to exploit DBMS design’s vulnerabilities or steal database access to login in exposed PHPMyAdmin / Adminer / etc.
• Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictable paths of banks’s modules inside /var/log/)

Patch from 8.0.0

--- 8.0.0/modules/prestasalesmanager/controllers/front/chatbox.php
+++ 9.0.0/modules/prestasalesmanager/controllers/front/chatbox.php
...
-           $file = Tools::getValue('file');
+           $file = basename(Tools::getValue('file'));
-           $id_ticket = Tools::getValue('id_presta_product_enquiry');
+           $id_ticket = (int) Tools::getValue('id_presta_product_enquiry');

Other recommendations

• It’s recommended to upgrade to the latest version of the module prestasalesmanager.
• NEVER expose a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
• Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your PrestaShop

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-25846
• Published at: 2024-02-27
• Platform: PrestaShop
• Product: simpleimportproduct
• Impacted release: <= 6.7.0 (6.7.1 ““fixed”” the vulnerability - See note below)
• Product author: MyPrestaModules
• Weakness: CWE-434
• Severity: critical (10)

Description

The method Send::__construct() allows the upload of .zip files, which can be auto uncompress in a predictable directory, author tries to protect it with a.htaccess, but since we can forge a zip with a custom .htaccess and a PHP payload, it will lead to a critical vulnerability CWE-94.

WARNING : Be warned that this exploit will bypass the majority of WAF (zipped payload with htaccess auto-hijacked)

Note : The author has moved its exposed ajax script which suffers a critical issue to a front controller under an unpredictable token. It remains a critical vulnerability issue with a CVSS 3.1 score 9.1/10. For this reason, you should consider to delete this module.

Edit 2024-07-09 - WARNING : This exploit is actively used to deploy webskimmer to massively steal credit cards. Since POC is now exploited, it is considered public.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Steal data

Proof of concept

echo 'UEsDBBQAAAAIACmivFa0Sii9DgAAAA4AAAAJAAAALmh0YWNjZXNzS8zJyS9XSCvKz1UAMgFQSwMEFAAAAAgAoqG8Vp+ixh8WAAAAFAAAAAUAAABhLnBocLOxL8go4OVKTc7IV9AwMtQ2MtS0BgBQSwECHwAUAAAACAAporxWtEoovQ4AAAAOAAAACQAkAAAAAAAAACAAAAAAAAAALmh0YWNjZXNzCgAgAAAAAAABABgA59XXo5CR2QHn1dejkJHZAeJTwpqQkdkBUEsBAh8AFAAAAAgAoqG8Vp+ixh8WAAAAFAAAAAUAJAAAAAAAAAAgAAAANQAAAGEucGhwCgAgAAAAAAABABgA07RBDJCR2QHTtEEMkJHZAaRqZqCOkdkBUEsFBgAAAAACAAIAsgAAAG4AAAAAAA==' > tmp && base64 -d tmp > test.zip && curl -v -F "file=@test.zip" 'https://preprod.X/modules/simpleimportproduct/classes/send.php?zip_file=1&ajax=1&stepTwo=1&import_settings_name=1' && curl -v 'https://preprod.X/modules/simpleimportproduct/data/zip_files/a.php'

Other recommendations

• It’s recommended to delete the module simpleimportproduct or at least, to upgrade it to its latest version.
• Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Note: To succeed in this exploit, the red team needs to pay to convert a cart into a valid order with a SoColissimo carrier, which allows you to enter a custom email such as “Point Relay” and requires the administrator to go to the order management page in its backoffice. To be exploited, you will probably need interaction with the shop’s owner to update the custom email given for SoColissimo after you pay.

Since there is a deletion of hooks with PS 1.7.7+, it does not concern all installations :

• Versions from 4.0.X to 4.1.6 are only vulnerable on PS 1.7.6- (including probably PS 1.6 - to confirm) since hookDisplayAdminOrderContentShip no longer exist on PS 1.7.7+ (https://devdocs.prestashop-project.org/1.7/modules/core-updates/1.7.7/#modified-hooks)
• Versions from 4.1.7 and above are vulnerable on all PS versions (at least 1.7+ - to confirm on PS 1.6)

Summary

• CVE ID: CVE-2024-25841
• Published at: 2024-02-27
• Platform: PrestaShop
• Product: soflexibilite
• Impacted release: <= 4.1.14 (4.1.26 fixed the vulnerability)
• Product author: Common-Services
• Weakness: CWE-79
• Severity: critical (9.0)

Description

As all XSS type 2 (Stored XSS) F2B (Front to Back), there are two steps and a prerequisite.

Prerequisite :

• The field ceemail within table colissimo_delivery_info suffers from a type varchar(64), which is large enough to allow dangerous XSS payloads.

Steps :

• The method SoFlexibiliteDeliveryInfo::save() does not properly clean the parameter ceemail. pSQL is useless against XSS which exploits HTML tag attributes (Category 2 according to OWASP - pSQL only neutralized Category 1 thanks to its strip_tags).
• The output in the backoffice is not escaped in the related smarty template that uses it.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: low
• User interaction: required
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Possible malicious usage

• Unlock design’s vulnerability, see this : https://friends-of-presta.github.io/security-advisories/modules/2023/02/07/stored-xss.html

Patch from 4.1.14

--- 4.1.14/modules/soflexibilite/views/templates/admin/orders/displayadminordercontentship.tpl
+++ 4.1.26/modules/soflexibilite/views/templates/admin/orders/displayadminordercontentship.tpl
...
                </span>
-               <input type="email" class="form-control ceemail" placeholder="{l s='Email' mod='soflexibilite'}" aria-describedby="sf_sumpup_email" value="{$sf_delivery_info->ceemail}">
+               <input type="email" class="form-control ceemail" placeholder="{l s='Email' mod='soflexibilite'}" aria-describedby="sf_sumpup_email" value="{$sf_delivery_info->ceemail|escape:'htmlall':'UTF-8'}">
            </div>

Other recommendations

• It’s recommended to upgrade to the latest version of the module soflexibilite.
• Systematically escape characters ‘ “ < and > by replacing them with HTML entities and applying strip_tags - Smarty and Twig provide auto-escape filters :
  • Smarty: {$value.comment|escape:'html':'UTF-8'}
  • Twig:{{value.comment|e}}
• Limit to the strict minimum the length’s value in database - a database field that allows 10 characters (varchar(10)) is far less dangerous than a field that allows 40+ characters (use cases that can exploit fragmented XSS payloads are very rare).
• Configure CSP headers (content security policies) by listing external domains allowed to load assets (such as js files) or being called in XHR transactions (Ajax).
• If applicable: check against all your frontoffice’s uploaders, uploading files that will be served by your server that mime type application/javascript (like every .js natively) must be strictly forbidden as it must be considered as dangerous as PHP files.
• Activate OWASP 941’s rules on your WAF (Web application firewall) - be warned that you will probably break your frontoffice/backoffice and you will need to preconfigure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-24310
• Published at: 2024-02-20
• Platform: PrestaShop
• Product: ecgeneratebarcode
• Impacted release: <= 1.2.0 (2.0.0 fixed the vulnerability)
• Product author: Ether Création
• Weakness: CWE-89
• Severity: high (8.8)

Description

Foreword : we are forced to tag privilege LOW (need a valid order reference) on the CVSS 3.1 score which make it a high vulnerability since it will be high if the module has never been installed OR (if the ECO_TOKEN_BARCODE configuration do not exist OR is empty), but keep in mind that for the majority of installations, the gravity is reduced to CVSS 3.1 7.2/10

The script PHP ajax.php own a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection if a valid Order reference is known.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: low
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Steal/Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.2.0

--- 1.2.0/modules/ecgeneratebarcode/ajax.php
+++ XXXXX/modules/ecgeneratebarcode/ajax.php
...
-if (Tools::getValue('ec_token') != Configuration::get('ECO_TOKEN_BARCODE')) {
+if (Tools::isEmpty('ec_token') || Tools::getValue('ec_token') !== Configuration::get('ECO_TOKEN_BARCODE')) {
...
-   $shop = Tools::getValue('idshop');
+   $shop = (int) Tools::getValue('idshop');

Other recommendations

• It’s recommended to upgrade to the latest version of the module ecgeneratebarcode.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-24309
• Published at: 2024-02-20
• Platform: PrestaShop
• Product: ecomiz_survey_tma
• Impacted release: <= 1.2.0 (2.0.0 fixed the vulnerability)
• Product author: Ecomiz
• Weakness: CWE-200
• Severity: high (7.5), GDPR violation

Description

Due to a predictable token, a guest can access multiple technical information such as PrestaShop’s version, a full list of modules with their versions, the database name/host/user/prefix (excluding password), and commercial statistics.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: none
• Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

• Get precious technical data to facilitate others attacks like CWE-89

Patch from 1.2.0

--- 1.2.0/modules/ecomiz_survey_tma/controllers/front/survey.php
+++ XXXXX/modules/ecomiz_survey_tma/controllers/front/survey.php
...
-      if($querytoken == "HARDCODED_TOKEN")
+      if($querytoken == Tools::encrypt($this->module->name))

Other recommendations

• You should restrict access to all FC of the module ecomiz_survey_tma

Timeline

EcomiZ thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

Links

• Author page
• National Vulnerability Database

Summary

• CVE ID: CVE-2024-24308
• Published at: 2024-02-08
• Platform: PrestaShop
• Product: boostmyshopagent
• Impacted release: <= 1.1.9 (1.1.10 fixed the vulnerability)
• Product author: Boostmyshop
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The scripts changeOrderCarrier.php, relayPoint.php and shippingConfirmation.php has sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

Be warned that this module own others sensitives issues like BLIND SSRF which are ignored as all vulnerabilities with a CVSS 3.1 score < 7.5. See recommendations below.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.1.9

--- 1.1.9/modules/boostmyshopagent/webservice/changeOrderCarrier.php
+++ XXXXX/modules/boostmyshopagent/webservice/changeOrderCarrier.php
        $query = new DbQuery();
        $query->select('*');
        $query->from('webservice_account');
-       $query->where('`key` = "' . $apiKey . '"');
+       $query->where('`key` = "' . pSQL($apiKey) . '"');

--- 1.1.9/modules/boostmyshopagent/webservice/relayPoint.php
+++ XXXXX/modules/boostmyshopagent/webservice/relayPoint.php
        $query = new DbQuery();
        $query->select('*');
        $query->from('webservice_account');
-       $query->where('`key` = "' . $apiKey . '"');
+       $query->where('`key` = "' . pSQL($apiKey) . '"');

--- 1.1.9/modules/boostmyshopagent/webservice/shippingConfirmation.php
+++ XXXXX/modules/boostmyshopagent/webservice/shippingConfirmation.php
        $query = new DbQuery();
        $query->select('*');
        $query->from('webservice_account');
-       $query->where('`key` = "' . $apiKey . '"');
+       $query->where('`key` = "' . pSQL($apiKey) . '"');

--- 1.1.7/modules/boostmyshopagent/webservice/pack.php
+++ XXXXX/modules/boostmyshopagent/webservice/pack.php
     $query = new DbQuery();
     $query->select('*');
     $query->from('webservice_account');
-    $query->where('`key` = "' . $apiKey . '"');
+    $query->where('`key` = "' . pSQL($apiKey) . '"');

--- 1.1.9/modules/boostmyshopagent/webservice/productData.php
+++ XXXXX/modules/boostmyshopagent/webservice/productData.php
-   $shopId = Tools::getValue('shopId') ?: 1;
+   $shopId = (int) Tools::getValue('shopId') ?: 1;

Other recommendations

• It’s recommended to upgrade to the latest version of the module boostmyshopagent.
• You must restrict access to modules/boostmyshopagent/webservice/ to a given whitelist to prevent BLIND SSRF chain exploit
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2023-50026
• Published at: 2024-02-08
• Platform: PrestaShop
• Product: hsmultiaccessoriespro
• Impacted release: <= 5.2.0 (5.3.0 fixed the vulnerability)
• Product author: Presta Monster
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The method HsAccessoriesGroupProductAbstract::getAccessoriesByIdProducts() has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 5.2.0

--- 5.2.0/modules/hsmultiaccessoriespro/abstract/classes/HsAccessoriesGroupAbstract.php
+++ 5.3.0/modules/hsmultiaccessoriespro/abstract/classes/HsAccessoriesGroupAbstract.php
@@ -350,6 +350,6 @@ class HsAccessoriesGroupAbstract extends ObjectModel
         if (!empty($id_groups)) {
-            $sql_where[] = 'apg.`id_accessory_group` IN ('.implode(',', $id_groups).')';
+            $sql_where[] = 'apg.`id_accessory_group` IN ('.implode(',', array_map('intval', $id_groups)) . ')';
         }
-        $sql_where[] = 'apg.`id_product` IN('.implode(',', $id_products).')';
-        $sql_where[] = 'p.`id_product` NOT IN ('.implode(',', $id_products).')';
+        $sql_where[] = 'apg.`id_product` IN('. implode(',', array_map('intval', $id_products)) . ')';
+        $sql_where[] = 'p.`id_product` NOT IN ('. implode(',', array_map('intval', $id_products)) . ')';
         if (!Configuration::get('HSMA_SHOW_NW_VISIBILITY_PRODUCTS')) {
@@ -710,3 +710,3 @@ class HsAccessoriesGroupAbstract extends ObjectModel
         }
-        $sql_where[] = 'apg.`id_product` IN('.implode(',', $id_products).')';
+        $sql_where[] = 'apg.`id_product` IN('. implode(',', array_map('intval', $id_products)) . ')';
         $sql = 'SELECT

--- 5.2.0/modules/hsmultiaccessoriespro/abstract/classes/HsAccessoriesGroupProductAbstract.php
+++ 5.3.0/modules/hsmultiaccessoriespro/abstract/classes/HsAccessoriesGroupProductAbstract.php
@@ -285,3 +285,3 @@ class HsAccessoriesGroupProductAbstract extends ObjectModel
             $query->from('accessory_group_product', 'agp');
-            $query->where('agp.`id_product` IN (' . implode(',', $id_products) . ')');
+            $query->where('agp.`id_product` IN (' . implode(',', array_map('intval', $id_products)) . ')');
             $query->where('ag.`active` = 1');
@@ -477,3 +477,3 @@ class HsAccessoriesGroupProductAbstract extends ObjectModel
             $query->from('customization_field', 'cf');
-            $query->where('cf.`id_product` IN (' . implode(',', $id_accessories) . ')');
+            $query->where('cf.`id_product` IN (' . implode(',', array_map('intval', $id_accessories)) . ')');
             $query->orderBy('cf.`id_customization_field` ASC');

--- 5.2.0/modules/hsmultiaccessoriespro/abstract/classes/HsMaSearch.php
+++ 5.3.0/modules/hsmultiaccessoriespro/abstract/classes/HsMaSearch.php
@@ -73,3 +73,3 @@ class HsMaSearch extends Search
             $sql_where = array();
-            $sql_where[] = 'p.`id_product` IN ('.implode(',', $eligible_products).')';
+            $sql_where[] = 'p.`id_product` IN ('.implode(',', array_map('intval', $eligible_products)) . ')';
             if ($keyword !== null) {
@@ -124,3 +124,3 @@ class HsMaSearch extends Search
             $query->from('category_product', 'cp');
-            $query->where(!empty($id_categories) ? 'cp.`id_category` IN ('.implode(',', $id_categories).')' : null);
+            $query->where(!empty($id_categories) ? 'cp.`id_category` IN ('. implode(',', array_map('intval', $id_categories)) .')' : null);
             $products = Db::getInstance()->executeS($query);

Other recommendations

• It’s recommended to upgrade to the latest version of the module hsmultiaccessoriespro.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• Author product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2023-46350
• Published at: 2024-02-08
• Platform: PrestaShop
• Product: idxrmanufacturer
• Impacted release: <= 2.0.4 (2.0.5 fixe the vulnerability)
• Product author: InnovaDeluxe
• Weakness: CWE-89
• Severity: critical (9.8)

Description

The methods IdxrmanufacturerFunctions::getCornersLink, IdxrmanufacturerFunctions::getManufacturersLike and IdxrmanufacturerFunctions::getSuppliersLike has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 2.0.3

--- 2.0.3/modules/idxrmanufacturer/classes/module/Functions.php
+++ XXXXX/modules/idxrmanufacturer/classes/module/Functions.php
@@ -241,7 +241,7 @@ trait IdxrmanufacturerFunctions
         $query->select('cor.id_corners, corl.link_rewrite ');
         $query->from('corners', 'cor');
         $query->innerJoin('corners_lang', 'corl', 'cor.id_corners = corl.id_corners');
-        $query->where('m.name like \'%'.Tools::getValue('q').'%\'');
+        $query->where('m.name like \'%'.pSQL(Tools::getValue('q')).'%\'');
         $query->where('cor.id_' . $listing . ' = ' . (int) $id);
         $query->orderBy('m.`name` ASC');
         if ($row = Db::getInstance()->getRow($query)) {
@@ -270,7 +270,7 @@ trait IdxrmanufacturerFunctions
         $query->from('manufacturer', 'm');
         $query->join(Shop::addSqlAssociation('manufacturer', 'm'));
         $query->leftJoin('manufacturer_lang', 'ml', 'm.id_manufacturer = ml.id_manufacturer AND ml.id_lang = ' . (int) $id_lang);
-        $query->where('m.name like \'%'.Tools::getValue('q').'%\'');
+        $query->where('m.name like \'%'.pSQL(Tools::getValue('q')).'%\'');
         $query->where('m.active = 1');
         $query->orderBy('m.`name` ASC');
         return Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($query);
@@ -284,7 +284,7 @@ trait IdxrmanufacturerFunctions
         $query->from('supplier', 's');
         $query->leftJoin('supplier_lang', 'sl', 's.`id_supplier` = sl.`id_supplier` AND sl.`id_lang` = ' . (int) $id_lang);
         $query->join(Shop::addSqlAssociation('supplier', 's'));
-        $query->where('s.name like \'%'.Tools::getValue('q').'%\'');
+        $query->where('s.name like \'%'.pSQL(Tools::getValue('q')).'%\'');
         $query->orderBy('s.`name` ASC');

         return Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($query);

Other recommendations

• It’s recommended to upgrade to the latest version of the module idxrmanufacturer.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Links

• PrestaShop addons product page
• National Vulnerability Database

Summary

• CVE ID: CVE-2023-50061
• Published at: 2024-02-08
• Platform: PrestaShop
• Product: oparteasyredirect
• Impacted release: >= 1.3.8 and <= 1.3.12 (1.3.13 fixed the vulnerability)
• Product author: Opart
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Methods Oparteasyredirect::hookActionDispatcher() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection on PHP 8.0- (so including PHP 7.X / 5.X).

The large scope of URL exposed to the vulnerability increases its severity and the risk that a pattern of URL is in whitelist of a WAF.

WARNING : This vulnerability will bypass some WAF, for this reason, POC is not given.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Remove data from the associated PrestaShop
• Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
• Rewrite SMTP settings to hijack emails

Patch from 1.3.12

--- 1.3.12/modules/oparteasyredirect/oparteasyredirect.php
+++ 1.3.13/modules/oparteasyredirect/oparteasyredirect.php
@@ -384,3 +384,3 @@ class Oparteasyredirect extends Module
                                             INSERT INTO `'._DB_PREFIX_.'pagenotfound` (`request_uri`, `http_referer`, `date_add`, `id_shop`, `id_shop_group`)
-                        VALUES (\''.htmlentities($request_uri).'\', \''.htmlentities($http_referer).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')
+                        VALUES (\''.pSQL(htmlentities($request_uri)).'\', \''.pSQL(htmlentities($http_referer)).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')
                     '
@@ -406,3 +406,3 @@ class Oparteasyredirect extends Module
                                         INSERT INTO `'._DB_PREFIX_.'pagenotfound` (`request_uri`, `http_referer`, `date_add`, `id_shop`, `id_shop_group`)
-                    VALUES (\''.htmlentities($request_uri).'\', \''.htmlentities($http_referer).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')
+                    VALUES (\''.pSQL(htmlentities($request_uri)).'\', \''.pSQL(htmlentities($http_referer)).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')
                 '
@@ -427,3 +427,3 @@ class Oparteasyredirect extends Module
                                         INSERT INTO `'._DB_PREFIX_.'pagenotfound` (`request_uri`, `http_referer`, `date_add`, `id_shop`, `id_shop_group`)
-                    VALUES (\''.htmlentities($request_uri).'\', \''.htmlentities($http_referer).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')
+                    VALUES (\''.pSQL(htmlentities($request_uri)).'\', \''.pSQL(htmlentities($http_referer)).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')
                 '
@@ -446,3 +446,3 @@ class Oparteasyredirect extends Module
                                         INSERT INTO `'._DB_PREFIX_.'pagenotfound` (`request_uri`, `http_referer`, `date_add`, `id_shop`, `id_shop_group`)
-                    VALUES (\''.htmlentities($request_uri).'\', \''.htmlentities($http_referer).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')
+                    VALUES (\''.pSQL(htmlentities($request_uri)).'\', \''.pSQL(htmlentities($http_referer)).'\', NOW(), '.(int)$this->context->shop->id.', '.(int)$this->context->shop->id_shop_group.')

Other recommendations

• It’s recommended to upgrade to the latest version of the module oparteasyredirect.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Opart thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.