-
[CWE-502] Exploring the perils of unsafe unserialize() in PrestaShop (part 1)
The deserialization of instantiated objects in PHP involved the trigger of the magic methods
__construct(),__wakeup()and__destruct(). -
[CVE-2023-39652] Improper neutralization of SQL parameter in Theme Volty Video Tab module for PrestaShop
In the module “Theme Volty Video Tab” (tvcmsvideotab) up to version 4.0.0 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-39650] Improper neutralization of SQL parameters in Theme Volty CMS Blog module for PrestaShop
In the module “Theme Volty CMS Blog” (tvcmsblog) up to versions 4.0.1 from Theme Volty for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-33663] Improper neutralization of a SQL parameter in aicustomfee from ai-dev module for PrestaShop
In the module “Customization fields fee for your store” (aicustomfee) for PrestaShop, an attacker can perform SQL injection up to 0.2.0. Release 0.2.1 fixed this security issue.
-
[CVE-2023-33666] Improper neutralization of a SQL parameter in aioptimizedcombinations from ai-dev module for PrestaShop
In the module “Opimized combinations” (aioptimizedcombinations) for PrestaShop, an attacker can perform a SQL injection up to 0.1.2. Release 0.1.3 fixed this security issue.
-
[CVE-2023-33665] Improper neutralization of a SQL parameter in aitable from ai-dev module for PrestaShop
In the module “Attributes table” (aitable) for PrestaShop, an attacker can perform a SQL injection up to 0.2.1. Release 0.2.2 fixed this security issue.
-
[CVE-2023-33493] Unrestricted Upload of File with Dangerous Type in the Ajaxmanager File and Database explorer (ajaxmanager) module from RSI for PrestaShop
An “Unrestricted Upload of File with Dangerous Type” vulnerability exists in the Ajaxmanager File and Database explorer (ajaxmanager) module, from RSI, for PrestaShop, in all versions (including the latest version 2.3.0). This allows remote attackers to upload dangerous files without restriction.
-
[CVE-2023-26859] Multiple improper neutralizations of an SQL parameters in Sendinblue module for PrestaShop
In the module “Sendinblue - All-in-one marketing tool” (sendinblue) up to versions 4.0.14 from Sendinblue for PrestaShop, an anonymous user can perform SQL injection in affected versions if double optin is enabled. 4.0.15 fixed vulnerabilities.
-
[CVE-2023-30200] Improper Limitation of a Pathname to a Restricted Directory in Advanced Plugins - Image: WebP, Compress, Zoom, Lazy load, Alt & More module for PrestaShop
In the module “Image: WebP, Compress, Zoom, Lazy load, Alt & More” (ultimateimagetool) in versions up to 2.1.02 from Advanced Plugins for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
-
[CVE-2023-30153] Improper neutralization of a SQL parameter in the Payplug (payplug) module for PrestaShop
SQL injection vulnerability in the Payplug (payplug) module for PrestaShop, in versions 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0 and 3.7.1, allows remote attackers to execute arbitrary SQL commands via the
ajax.phpfront controller.