IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2023-33493] Unrestricted Upload of File with Dangerous Type in the Ajaxmanager File and Database explorer (ajaxmanager) module from RSI for PrestaShop
An “Unrestricted Upload of File with Dangerous Type” vulnerability exists in the Ajaxmanager File and Database explorer (ajaxmanager) module, from RSI, for PrestaShop, in all versions (including the latest version 2.3.0). This allows remote attackers to upload dangerous files without restriction.
-
[CVE-2023-26859] Multiple improper neutralizations of an SQL parameters in Sendinblue module for PrestaShop
In the module “Sendinblue - All-in-one marketing tool” (sendinblue) up to versions 4.0.14 from Sendinblue for PrestaShop, an anonymous user can perform SQL injection in affected versions if double optin is enabled. 4.0.15 fixed vulnerabilities.
-
[CVE-2023-30200] Improper Limitation of a Pathname to a Restricted Directory in Advanced Plugins - Image: WebP, Compress, Zoom, Lazy load, Alt & More module for PrestaShop
In the module “Image: WebP, Compress, Zoom, Lazy load, Alt & More” (ultimateimagetool) in versions up to 2.1.02 from Advanced Plugins for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
-
[CVE-2023-30153] Improper neutralization of a SQL parameter in the Payplug (payplug) module for PrestaShop
SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the
ajax.phpfront controller. -
[CVE-2023-33777] Exposure of Private Personal Information to an Unauthorized Actor in Common Services - Amazon module for PrestaShop
In the module “Amazon” (amazon) up to version 5.2.23 from Common Services for PrestaShop, a guest can access personal data.
-
[CVE-2023-26861] Improper neutralization of several SQL parameters in vivawallet module for PrestaShop
The deprecated module “vivawallet” (name of the directory) edited by Viva Wallet prior to 1.7.9 for PrestaShop has several SQL injections.
-
[CVE-2023-27845] Improper neutralization of a SQL parameter in KerAwen Omnichannel Stocks module for PrestaShop
In the module “KerAwen Omnichannel Stocks” (kerawen_ocs) for PrestaShop, an anonymous user can perform SQL injection before 1.4.1. Release 1.4.1 fixed this security issue.
-
[CVE-2023-33664] Improper neutralization of a SQL parameter in aicombinationsonfly module for PrestaShop
In the module “Combinations generated on fly for your store” (aicombinationsonfly) for PrestaShop, an attacker can perform SQL injection before 0.3.1. Release 0.3.1 fixed this security issue.
-
[CVE-2023-30195] Exposure of Private Personal Information to an Unauthorized Actor in Linea Grafica - Detailed Order module for PrestaShop
In the module “Detailed Order” (lgdetailedorder) from Linea Grafica for PrestaShop, a guest can download personal information without restriction formatted in json.
-
[CVE-2023-30151] Improper neutralization of SQL parameters in the Boxtal (envoimoinscher) module from Boxtal for PrestaShop
In the Boxtal (envoimoinscher) module from Boxtal for PrestaShop, after version 3.1.10, a SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands via the
keyparameter in theajax.phpfront controller.