[CVE-2023-45387] Improper neutralization of SQL parameter in MyPrestaModules - Product Catalog (CSV, Excel, XML) Export PRO module for PrestaShop

In the module “Product Catalog (CSV, Excel, XML) Export PRO” (exportproducts) in versions up to 5.0.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection in affected versions.

Prestashop unremoved install directory risks

Prestashop installation directory must be deleted after a successful installation. It should not be renamed, as the remaining directory can contain code that is exploitable if publicly accessible, such as:

• tool to sync information in database
• tool to extract db information in xml files

[CVE-2023-43979] Improper neutralization of SQL parameter in PrestaHero (ETS Soft) - BLOG - Drive High Traffic & Boost SEO module for PrestaShop

In the module “BLOG - Drive High Traffic & Boost SEO” (ybc_blog) in version up to 3.3.8 from PrestaHero (ETS Soft) for PrestaShop, a guest can perform SQL injection in affected versions.

[CVE-2023-47309] Improper Neutralization of Input During Web Page Generation in Nukium - NKM GLS module for PrestaShop

In the module “NKM GLS” (nkmgls) up to version 3.0.1 from Nukium for PrestaShop, a guest (authenticated customer) can perform XSS injection of type 2 (stored XSS) from FRONT to BACK (F2B) of Category 2 within the funnel order in affected versions.

[CVE-2023-40923] Improper neutralization of an SQL parameter in MyPrestaModules - Orders (CSV, Excel) Export PRO module for PrestaShop

In the module “Orders (CSV, Excel) Export PRO” (ordersexport) from MyPrestaModules for PrestaShop, an anonymous user can perform SQL injection up to 5.0. Release 5.0 fixed this security issue.

[CVE-2023-47308] Improper neutralization of SQL parameter in Active Design - Newsletter Popup PRO with Voucher/Coupon code module for PrestaShop

In the module “Newsletter Popup PRO with Voucher/Coupon code” (newsletterpop) up to version 2.6.0 from Active Design for PrestaShop, a guest can perform SQL injection in affected versions.

[CVE-2023-45380] Exposure of Private Personal Information to an Unauthorized Actor in Silbersaiten - Order Duplicator – Clone and Delete Existing Order module for PrestaShop

In the module “Order Duplicator – Clone and Delete Existing Order” (orderduplicate) in versions up to 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction.

[CVE-2023-43984] Exposure of Private Personal Information to an Unauthorized Actor in Smart Soft - Advanced Export Products Orders Cron CSV Excel module for PrestaShop

In the module “Advanced Export Products Orders Cron CSV Excel” (advancedexport) in versions up to 4.4.6 from Smart Soft for PrestaShop, a guest can download personal information without restriction.

[CVE-2023-40922] Improper neutralization of SQL parameter in KerAwen module for PrestaShop

In the module “KerAwen” (kerawen) up to version 2.3.81.1 from KerAwen for PrestaShop, an anonymous user can perform a SQL injection.

[CVE-2023-43982] Server-Side Request Forgery (SSRF) in Bon Presta - SocialFeed - Photos & Video/Reels using Instagram API for PrestaShop

In the module “SocialFeed - Photos & Video/Reels using Instagram API” (boninstagramcarousel) up to version 6.0.0 from Bon Presta for PrestaShop, an anonymous user can perform a Server-Side Request Forgery (SSRF).