-
[CVE-2023-27844] Improper neutralization of SQL parameter in leurlrewrite for PrestaShop
In the module “LitExtension Url Plugin” (leurlrewrite) for PrestaShop, an attacker can perform SQL injection up to 1.0. Even though the module has been patched in version 1.0, the version number was not incremented at the time. We consider the issue resolved in versions after 1.0.
-
[CVE-2023-27032] Improper neutralization of SQL parameter in Idnovate - AdvancedPopupCreator module for PrestaShop
In the module “Advanced Popup Creator” (advancedpopupcreator) from Idnovate for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-27033] Unrestricted Upload of File with Dangerous Type in Cdesigner module for PrestaShop
In the module “Cdesigner” (cdesigner) up to 3.2.1 (3.2.2 fix the issue), a guest can upload files with extensions .php.+ (like .php7)
-
[CVE-2023-26860] Improper neutralization of SQL parameter in lgbudget module for PrestaShop
In the module “Save your carts and buy later” (lgbudget) for PrestaShop, an authenticated user can perform a blind SQL injection up to 1.0.3. Release 1.0.4 fixed this security issue.
-
[CVE-2023-28843] Improper neutralization of SQL parameter in PayPal module for PrestaShop 1.6 and 1.5
SQL injection vulnerability found in the module “PayPal Official Module” (aka paypal) for PrestaShop from 3.12.0 to 3.16.3. (3.16.4 fix the issue) allow a remote attacker to gain privileges.
-
[CVE-2023-27639][CVE-2023-27640][CWE-22] Multiple path traversal in Custom Product Designer (tshirtecommerce) module for PrestaShop
In the Custom Product Designer (tshirtecommerce) module for PrestaShop, HTTP requests can be forged using POST and GET parameters enabling a remote attacker to perform directory traversal on the system and view the contents of code files. Since the module appears not to have been maintained since 2019, it is strongly recommended to remove it.
-
[CVE-2023-26858] Improper neutralization of SQL parameter in faqs module for PrestaShop
In the module “Frequently Asked Questions (FAQ) page” (faqs) for PrestaShop, an attacker can perform SQL injection up to 3.1.5. Release 3.1.6 fixed this security issue.
-
[CVE-2023-27847] Improper neutralization of multiple SQL parameters in the xipblog module for PrestaShop
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time. We consider the issue resolved in versions after 2.0.1.
-
[CVE-2023-27637][CVE-2023-27638][CWE-89] Improper neutralization of SQL parameters in module PrestaShop Custom Product Designer (tshirtecommerce) for PrestaShop
In the module Custom Product Designer (tshirtecommerce), an anonymous user can perform an SQL injection attack. The vulnerability is actively exploited by bots. As the module doesn’t seems to be maintained since 2019, it’s strongly suggested to remove it.
-
[CVE-2023-27569]-[CVE-2023-27570] Improper neutralization of SQL parameters in Profileo : Tracking et Conversions (eo_tags) module for PrestaShop
In the module Tracking et Conversions (eo_tags) prior to version 1.4.19, an anonymous user can perform an SQL injection attack.