-
[CVE-2023-39528] Reading a file through path traversal & Remote Code Execution via unsafe deserialization
Initialy flagged as path traversal with a medium severity, the work of Friends Of Presta Security team proven the ability to use this vulnerability to implicity deserialize a malicious load (critical severity).
-
[CWE-502] Exploring the perils of implicit deserialization of a phar in PrestaShop prior to PHP 8.0 (part 2)
Prior to PHP 8.0, “The PHP documentation reveals that PHAR manifest files contain serialized metadata. Crucially, if you perform any filesystem operations on a
phar://stream, this metadata is implicitly deserialized. This means that aphar://stream can potentially be a vector for exploiting insecure deserialization, provided that you can pass this stream into a filesystem method.” -
[CVE-2023-39527] Possible XSS injection through Validate::isCleanHTML method
ValidateCore::isCleanHTML() method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @Keyframes methods.
-
[CVE-2023-39526] SQL manager vulnerability (potential RCE)
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.
-
[CVE-2023-39525][CVE-2023-39529][CVE-2023-39530] path traversal: file deletion in the backoffice
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds.
-
[CVE-2023-39524] Full SQL injection possible in search product in backoffice
PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO’s product page. Version 8.1.1 contains a patch for this issue.
-
[CVE-2023-39641] Improper neutralization of SQL parameter in Active Design - Full Affiliates module for PrestaShop
In the module “Full Affiliates” (psaffiliate) up to version 1.9.7 from Active Design for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-39639] Improper neutralization of SQL parameter in LeoTheme - Leo Blog module for PrestaShop
In the module “Leo Blog” (leoblog) up to version 3.1.2 from LeoTheme for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-39643] Improper neutralization of SQL parameter in Bl Modules - XML Feeds PRO module for PrestaShop
In the module “XML Feeds PRO” (xmlfeeds) up to versions 3.8.2 from Bl Modules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-39642] Improper neutralization of SQL parameter in Carts Guru - Marketing automation multicanal module for PrestaShop
In the module “Marketing automation multicanal” (cartsguru) up to versions 2.4.2 from Carts Guru for PrestaShop, a guest can perform SQL injection in affected versions.