Friends-Of-Presta Security Advisories

Nov 1, 2022 • #modules • critical (9.1)
[CVE-2022-40842] Server-Side Request Forgery (SSRF) NdkAdvancedCustomizationFields from ndk design a module for PrestaShop
In NdkAdvancedCustomizationFields module for PrestaShop before 4.1.7, an anonymous user can perform a Server-Side Request Forgery (SSRF) in affected versions. 4.1.7 fixed the vulnerability.
Nov 1, 2022 • #module • medium (6.8)
[CVE-2022-40840][CVE-2022-40841] Possible XSS T1 and T2 in Ndk advanced custom fields module from ndkdesign for PrestaShop
Ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Reflected Cross Site Scripting (XSS-T1 of category 1) via createPdf.php and showPreview.php.
Jul 25, 2022 • #core • critical (9.8)
Chain: SQL Injection (CWE-89) and Eval Injection (CWE-95)
In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP’s Eval function on attacker input.
Jun 24, 2022 • #modules • high (8.8)
[CVE-2022-31101] Invalid order neutralization in an SQL query in PrestaShop blockwishlist module
blockwishlist is a prestashop extension which adds a block containing the customer’s wishlists. In affected versions an authenticated customer can perform SQL injection. This issue is fixed in version 2.1.1. Users are advised to upgrade. There are no known workarounds for this issue.
Aug 24, 2021 • #module • critical (9.8)
[CVE-2021-37538] Improper neutralization of SQL parameter in SmartBlog module from SmartDataSoft for PrestaShop
Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.0.6 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.
Aug 20, 2021 • #module • critical (9.8)
[CVE-2021-36748] Improper neutralization of SQL parameter in SimpleBlog module from Prestahome for PrestaShop
An SQL Injection issue in the list controller of the Prestahome Blog (aka ph_simpleblog) module before 1.7.8 for Prestashop allows a remote attacker to extract data from the database via the sb_category parameter.
Apr 2, 2021 • #modules • high (7.5)
[CVE-2020-16194] Authorization Bypass Through User-Controlled Key in Opart Devis module (opartdevis)
In the module “Opart Devis” (opartdevis) up to version 4.0.2 unauthenticated attackers can have access to any user’s invoice and delivery address by exploiting an IDOR on the delivery_address and invoice_address fields.
Nov 2, 2020 • #module • high (7.5)
[CVE-2020-9368][CWE-22] Path traversal in Olea Gift On Order module (giftonorder) module for PrestaShop
The Module Olea Gift On Order module through 5.0.8 for PrestaShop enables an unauthenticated user to read arbitrary files on the server via getfile.php?file=/.. directory traversal.
Jan 7, 2020 • #dependancies • critical (9.8)
[CVE-2017-9841] PHUnit dependancy in PrestaShop and modules allow remote arbitrary PHP code execution
Modules include the vulnerable dependancy are:
- 1-Click Upgrade (autoupgrade) from 4.0.0 to 4.10.1
- Cart Abandonment Pro (pscartabandonmentpro) from 2.0.1 to 2.0.10
- Faceted Search (ps_facetedsearch) from 2.2.1 to 3.4.1
- Merchant Expertise (gamification) from 2.1.0 to 2.3.2
- PrestaShop Checkout (ps_checkout) from 1.0.8 to 1.2.9