IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2023-45385] Improper Limitation of a Pathname to a Restricted Directory in ProQuality - Print Shipping Labels Pro module for PrestaShop
In the module “Print Shipping Labels Pro” (pqprintshippinglabels) up to version 4.15.0 from ProQuality for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
-
[CVE-2024-33267] Improper neutralization of SQL parameter in Hero - Payment module for PrestaShop
In the module “Hero - Payment” (hfheropayment) up to version 1.2.5 from Hero for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-33270] Exposure of Private Personal Information to an Unauthorized Actor in FME Modules - Customer File Upload-Attach File on Product,Cart pages module for PrestaShop
In the module “Customer File Upload-Attach File on Product,Cart pages” (fileuploads) up to version 2.0.3 from FME Modules for PrestaShop, a guest can download personal information without restriction.
-
[CVE-2024-33274] Improper Limitation of a Pathname to a Restricted Directory in FME Modules - Custom Checkout Fields, Add Custom Fields to Checkout module for PrestaShop
In the module “Custom Checkout Fields, Add Custom Fields to Checkout” (customfields) up to version 2.2.7 from FME Modules for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
-
[CVE-2024-33276] Improper neutralization of SQL parameter in FME Modules - Pre-Order module for PrestaShop
In the module “Pre-Order” (preorderandnotification) up to version 3.1.1 from FME Modules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-33268] Improper neutralization of SQL parameter in Digincube - Free Gifts Products module for PrestaShop
In the module “Free Gifts Products” (mdgiftproduct) up to version 1.4.1 from Digincube for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-33269] Improper neutralization of SQL parameter in Prestaddons - Flash Sales module for PrestaShop
In the module “Flash Sales” (flashsales) up to version 1.9.7 from Prestaddons for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-33271] Exposure of Private Personal Information to an Unauthorized Actor in FME Modules - Events Manager, Create events & Sell tickets Online module for PrestaShop
In the module “Events Manager, Create events & Sell tickets Online” (eventsmanager) up to version 4.4.0 from FME Modules for PrestaShop, a guest can download personal information without restriction.
-
[CVE-2024-33266] Improper neutralization of SQL parameter in Helloshop - Tracking Center - Parcel tracking 80 carriers module for PrestaShop
In the module “Tracking Center - Parcel tracking 80 carriers” (deliveryorderautoupdate) up to version 2.8.2 from Helloshop for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-33272] Improper neutralization of SQL parameters in Knowband - Search Auto Suggest module for PrestaShop
In the module “Search Auto Suggest” (autosuggest) up to version 2.0.0 from KnowBand for PrestaShop, an anonymous user can perform a SQL injection.