-
[CVE-2023-30194] Improper neutralization of SQL parameter in Posthemes - Static Footer module for PrestaShop
In the module “Static Footer” (posstaticfooter) from PosThemes for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-30281] Exposure of Private Personal Information to an Unauthorized Actor in SC Quick Accounting module for PrestaShop
In the module “SC Quick Accounting” (scquickaccounting), a guest can download personal information without restriction.
-
[CVE-2023-30839] SQL filter bypass leading to arbitrary write requests using SQL Manager [DEBATE RUNNING ABOUT SCORING FROM PS CORE]
SQL filtering vulnerability, a BO user can write, update and delete in the database, even without having specific rights.
-
[CVE-2023-30838] Possible XSS injection through Validate::isCleanHTML method
ValidateCore::isCleanHTML() method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @Keyframes methods.
-
[CVE-2023-30545] Arbitrary file read via the backoffice Database Manager [DEBATE RUNNING ABOUT SCORING FROM PS CORE]
As an admin manager logged, the Database Manager interface let create LOAD_FILE select request.
-
[CVE-2023-30282] Exposure of Private Personal Information to an Unauthorized Actor in SC Export Customers module for PrestaShop
In the module “SC Export Customers” (scexportcustomers), a guest can download personal information without restriction.
-
[CVE-2023-30189] Improper neutralization of SQL parameter in Posthemes - Static Blocks module for PrestaShop
In the module “Static Blocks” (posstaticblocks) from PosThemes for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-27843] Improper neutralization of a SQL parameter in askforaquote module for PrestaShop
In the module “Ask for a Quote - Convert to order, messaging system” (askforaquote) for PrestaShop, an anonymous user can perform SQL injection before 5.4.3. Release 5.4.3 fixed this security issue.
-
[CVE-2023-26865] Improper neutralization of a SQL parameter in bdroppy module for PrestaShop
In the module “BDroppy- The best brands for your dropshipping business” (bdroppy) for PrestaShop, an attacker can perform a blind SQL injection before 2.2.27. Release 2.2.28 fixed this security issue.
-
[CVE-2023-28839] Improper neutralization of a SQL parameter in Shoppingfeed module for PrestaShop
SQL injection vulnerability found in the module “Shoppingfeed PrestaShop Plugin (Feed&Order)” (aka shoppingfeed) for PrestaShop from 1.4.0 to 1.8.2. (1.8.3 fix the issue) allow a remote attacker to gain privileges.