Friends-Of-Presta Security Advisories

IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

Mar 28, 2023 • #modules • critical (9.8)
[CVE-2023-26858] Improper neutralization of SQL parameter in faqs module for PrestaShop
In the module “Frequently Asked Questions (FAQ) page” (faqs) for PrestaShop, an attacker can perform SQL injection up to 3.1.5. Release 3.1.6 fixed this security issue.
Mar 23, 2023 • #modules • critical (9.8)
[CVE-2023-27847] Improper neutralization of multiple SQL parameters in the xipblog module for PrestaShop
In the blog module (xipblog), an anonymous user can perform SQL injection. Even though the module has been patched in version 2.0.1, the version number was not incremented at the time. We consider the issue resolved in versions after 2.0.1.
Mar 21, 2023 • #module • critical (9.8)
[CVE-2023-27637][CVE-2023-27638][CWE-89] Improper neutralization of SQL parameters in module PrestaShop Custom Product Designer (tshirtecommerce) for PrestaShop
In the module Custom Product Designer (tshirtecommerce), an anonymous user can perform an SQL injection attack. The vulnerability is actively exploited by bots. As the module doesn’t seems to be maintained since 2019, it’s strongly suggested to remove it.
Mar 15, 2023 • #module • critical (9.8)
[CVE-2023-27569]-[CVE-2023-27570] Improper neutralization of SQL parameters in Profileo : Tracking et Conversions (eo_tags) module for PrestaShop
In the module Tracking et Conversions (eo_tags) prior to version 1.4.19, an anonymous user can perform an SQL injection attack.
Mar 14, 2023 • #modules • critical (9.8)
[CVE-2023-25206] Multiple improper neutralization of SQL parameters in ws_productreviews module for PrestaShop
In the module “Advanced Reviews: Photos, Reminder, Google Snippets” (ws_productreviews), an anonymous user can perform SQL injection in affected versions. 3.6.2 fixed vulnerabilities.
Mar 13, 2023 • #modules • critical (9.8)
[CVE-2023-29630] Blind SQL injection vulnerability in Jms Vertical MegaMenu (jmsvermegamenu) PrestaShop module
The module Jms Vertical MegaMenu (jmsvermegamenu) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes
Mar 13, 2023 • #modules • critical (9.8)
[CVE-2023-29629] Blind SQL injection vulnerability in Jms Theme Layout (jmsthemelayout) PrestaShop module
The module Jms Theme Layout (jmsthemelayout) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes
Mar 13, 2023 • #modules • critical (9.8)
[CVE-2023-29631] Unrestricted upload vulnerability in Jms Slider (jmsslider) PrestaShop module
The module Jms Slider (jmsslider) from Joommasters contains an unrestricted upload of file with dangerous type vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes
Mar 13, 2023 • #modules • critical (9.8)
[CVE-2023-29632] Blind SQL injection vulnerability in Jms Page Builder (jmspagebuilder) PrestaShop module
The module Jms Page Builder (jmspagebuilder) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes
Mar 13, 2023 • #modules • critical (9.8)
[CVE-2023-29630] Blind SQL injection vulnerability in Jms MegaMenu (jmsmegamenu) PrestaShop module
The module Jms MegaMenu (jmsmegamenu) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes