IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2024-28393] Improper neutralization of SQL parameter in Scalapay module for PrestaShop
In the module “Scalapay” (scalapay) up to version 1.2.41 from Scalapay for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-28386] Improper Neutralization of Special Elements used in an OS Command in the Home-Made.io - FastMag Sync module for PrestaShop
In the module “Fast Mag Sync” (fastmagsync) up to version 1.7.52 from Home-Made.io for PrestaShop, a guest can inject into script an arbitrary executable script.
-
[CVE-2024-28387] Exposure of Private Personal Information to an Unauthorized Actor in Axonaut module for PrestaShop
In the module “Axonaut” (axonaut) up to version 3.1.23 from Axonaut for PrestaShop, a guest can download personal information without restriction.
-
[CVE-2024-28394] External Control of File Name or Path in Advanced Plugins - Sales Reports, Statistics, Custom Fields & Export module for PrestaShop
In the module “Sales Reports, Statistics, Custom Fields & Export” (reportsstatistics) in versions up to 1.3.20 from Advanced Plugins for PrestaShop, a guest can download and delete all files.
-
[CVE-2024-28392] Improper neutralization of SQL parameter in Abandoned Cart Reminder Pro module for PrestaShop
In the module “Abandoned Cart Reminder Pro” (pscartabandonmentpro) up to version 2.0.11 from PrestaShop for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-28396] Exposure of Sensitive Information to an Unauthorized Actor in MyPrestaModules - Orders (CSV, Excel) Export PRO module for PrestaShop
In the module “Orders (CSV, Excel) Export PRO” (ordersexport) up to version 6.0.2 from MyPrestaModules for PrestaShop, a guest can download sensitive information without restriction.
-
[CVE-2024-28395] Improper neutralization of SQL parameter in Best-Kit - Pop-up / Schedule Popup / Splash window module for PrestaShop
In the module “Pop-up / Schedule Popup / Splash window” (bestkit_popup) up to version 1.7.2 (WARNING : all versions) from BestKit for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-28390] Improper Access Control in Advanced Plugins - Image: WebP, Compress, Zoom, Lazy load, Alt & More module for PrestaShop
In the module “Image: WebP, Compress, Zoom, Lazy load, Alt & More” (ultimateimagetool) in versions up to 2.2.01 from Advanced Plugins for PrestaShop, a guest can update all configurations of the PrestaShop.
-
[CVE-2024-28388] Improper neutralization of SQL parameter in SunnyToo - Product Comments module for PrestaShop
In the module “Product Comments” (stproductcomments) up to version 1.0.5 from SunnyToo for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-28389] Improper neutralization of SQL parameters in Knowband - Entry,Exit and Subscription Popup-Spin and Win module for PrestaShop
In the module “Entry,Exit and Subscription Popup-Spin and Win” (spinwheel) up to version 3.0.3 from KnowBand for PrestaShop, an anonymous user can perform a SQL injection.