IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2024-36678] Improper neutralization of SQL parameter in Promokit.eu - Theme settings module for PrestaShop
In the module “Theme settings” (pk_themesettings) from Promokit.eu for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-36684] Improper neutralization of SQL parameter in Promokit.eu - Custom links module for PrestaShop
In the module “Custom links” (pk_customlinks) from Promokit.eu for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-36677] Exposure of Private Personal Information to an Unauthorized Actor in Weblir - Login as customer PRO module for PrestaShop
In the module “Login as customer PRO” (loginascustomerpro) from Weblir for PrestaShop, a guest can access direct link to connect to each customer account of the Shop if the module is not installed OR if a secret accessible to administrator is stolen.
-
[CVE-2024-36679] Improper Control of Generation of Code in Module Live Chat Pro (All in One Messaging) module for PrestaShop
In the module “Module Live Chat Pro (All in One Messaging)” (livechatpro), a guest can perform PHP Code injection in affected versions.
-
[CVE-2024-33836] Unrestricted Upload of File with Dangerous Type in JA Marketplace module for PrestaShop
In the module “JA Marketplace” (jamarketplace) up to version 9.0.1 from JA Module for PrestaShop, a guest can upload files with extensions .php.
-
[CVE-2024-34990] Unrestricted Upload of File with Dangerous Type in FME Modules - Help Desk - Customer Support Management System module for PrestaShop
In the module “Help Desk - Customer Support Management System” (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files.
-
[CVE-2024-34994] Improper neutralization of SQL parameter in Channable module for PrestaShop
In the module “Channable” (channable) up to version 3.2.1 from Channable for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-34993] Improper neutralization of SQL parameter in Buy Addons - Bulk Export products to Google Merchant-Google Shopping module for PrestaShop
In the module “Bulk Export products to Google Merchant-Google Shopping” (bagoogleshopping) up to version 1.0.26 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-33275] Improper neutralization of SQL parameter in Webbax - Super Newsletter module for PrestaShop
In the module “Super Newsletter” (supernewsletter) up to version 1.4.21 (DANGER : all versions) from Webbax for PrestaShop, due to a predictable token, a guest can perform SQL injection in affected versions.
-
[CVE-2024-33273] Improper neutralization of SQL parameter in ShipUp module for PrestaShop
In the module “ShipUp” (shipup) up to version 3.3.0 from ShipUp for PrestaShop, a guest can perform SQL injection in affected versions.