IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2023-30189] Improper neutralization of SQL parameter in Posthemes - Static Blocks module for PrestaShop
In the module “Static Blocks” (posstaticblocks) from PosThemes for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-27843] Improper neutralization of a SQL parameter in askforaquote module for PrestaShop
In the module “Ask for a Quote - Convert to order, messaging system” (askforaquote) for PrestaShop, an anonymous user can perform SQL injection before 5.4.3. Release 5.4.3 fixed this security issue.
-
[CVE-2023-26865] Improper neutralization of a SQL parameter in bdroppy module for PrestaShop
In the module “BDroppy- The best brands for your dropshipping business” (bdroppy) for PrestaShop, an attacker can perform a blind SQL injection before 2.2.27. Release 2.2.28 fixed this security issue.
-
[CVE-2023-28839] Improper neutralization of a SQL parameter in Shoppingfeed module for PrestaShop
SQL injection vulnerability found in the module “Shoppingfeed PrestaShop Plugin (Feed&Order)” (aka shoppingfeed) for PrestaShop from 1.4.0 to 1.8.2. (1.8.3 fix the issue) allow a remote attacker to gain privileges.
-
[CVE-2023-27844] Improper neutralization of SQL parameter in leurlrewrite for PrestaShop
In the module “LitExtension Url Plugin” (leurlrewrite) for PrestaShop, an attacker can perform SQL injection up to 1.0. Even though the module has been patched in version 1.0, the version number was not incremented at the time. We consider the issue resolved in versions after 1.0.
-
[CVE-2023-27032] Improper neutralization of SQL parameter in Idnovate - AdvancedPopupCreator module for PrestaShop
In the module “Advanced Popup Creator” (advancedpopupcreator) from Idnovate for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-27033] Unrestricted Upload of File with Dangerous Type in Cdesigner module for PrestaShop
In the module “Cdesigner” (cdesigner) up to 3.2.1 (3.2.2 fix the issue), a guest can upload files with extensions .php.+ (like .php7)
-
[CVE-2023-26860] Improper neutralization of SQL parameter in lgbudget module for PrestaShop
In the module “Save your carts and buy later” (lgbudget) for PrestaShop, an authenticated user can perform a blind SQL injection up to 1.0.3. Release 1.0.4 fixed this security issue.
-
[CVE-2023-28843] Improper neutralization of SQL parameter in PayPal module for PrestaShop 1.6 and 1.5
SQL injection vulnerability found in the module “PayPal Official Module” (aka paypal) for PrestaShop from 3.12.0 to 3.16.3. (3.16.4 fix the issue) allow a remote attacker to gain privileges.
-
[CVE-2023-27639][CVE-2023-27640][CWE-22] Multiple path traversal in Custom Product Designer (tshirtecommerce) module for PrestaShop
In the Custom Product Designer (tshirtecommerce) module for PrestaShop, HTTP requests can be forged using POST and GET parameters enabling a remote attacker to perform directory traversal on the system and view the contents of code files. Since the module appears not to have been maintained since 2019, it is strongly recommended to remove it.