IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2023-36263] Improper neutralization of SQL parameter in Opart limit quantity for PrestaShop
In the module “Opart limit quantity” (opartlimitquantity), a guest can perform SQL injection in affected versions.
-
[CVE-2023-43139] Improper Neutralization of Special Elements used in an OS Command in the Franfinance module for PrestaShop
The PrestaShop e-commerce platform module Franfinance contains a vulnerability that lets an attaker inject a malicious malware in releases published before 2019.
-
[CVE-2023-46358] Improper neutralization of SQL parameter in Snegurka - Referral and Affiliation Program module for PrestaShop
In the module “Referral and Affiliation Program” (referralbyphone) up to 3.5.1 (all versions - see WARNING) from Snegurka for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-46347] Improper neutralization of SQL parameter in NDK Design - Step by Step products Pack module for PrestaShop
In the module “Step by Step products Pack” (ndk_steppingpack) up to 1.5.6 from NDK Design for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-46346] Improper Limitation of a Pathname to a Restricted Directory in MyPrestaModules - Product Catalog (CSV, Excel, XML) Export PRO module for PrestaShop
In the module “Product Catalog (CSV, Excel, XML) Export PRO” (exportproducts) up to 4.1.1 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
-
[CVE-2023-45376] Improper neutralization of SQL parameter in HiPresta - Carousels Pack - Instagram, Products, Brands, Supplier module for PrestaShop
In the module “Carousels Pack - Instagram, Products, Brands, Supplier” (hicarouselspack) up to version 1.5.0 from HiPresta for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-45381] Improper neutralization of SQL parameter in WebshopWorks Creative Popup module for PrestaShop
In the module “Creative Popup” (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-43986] Improper neutralization of SQL parameter in DM Concept - Advanced configurator for customized product module for PrestaShop
In the module “Advanced configurator for customized product” (configurator) up to version 4.9.3 from DM Concept for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-45384] Unrestricted Upload of File with Dangerous Type in KnowBand - One Page Checkout, Social Login & Mailchimp module for PrestaShop
In the module “Module One Page Checkout, Social Login & Mailchimp” (supercheckout) up to version 6.0.6 from KnowBand for PrestaShop, a guest can upload dangerous files with extensions .php.
-
[CVE-2023-45383] Improper Limitation of a Pathname to a Restricted Directory in Common-Services - Sonice Etiquetage module for PrestaShop
In the module “SoNice Etiquetage” (sonice_etiquetage) up to version 2.5.9 from Common-Services for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.