IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2024-28391] Improper neutralization of SQL parameter in FME Modules - Quick Order Form - Order Table module for PrestaShop
In the module “Quick Order Form - Order Table” (quickproducttable) up to version 1.2.1 from FME Modules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-25849] Improper neutralization of SQL parameter in PrestaToolKit - Make an offer module for PrestaShop
In the module “Make an offer” (makeanoffer) up to version 1.7.1 from PrestaToolKit for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-25848] Improper neutralization of SQL parameter in Team Ever - Ever Ultimate SEO module for PrestaShop
In the module “Ever Ultimate SEO” (everpsseo) from Team Ever for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-25845] Improper neutralization of SQL parameter in Cleanpresta.com - CD Custom Fields 4 Orders module for PrestaShop
In the module “CD Custom Fields 4 Orders” (cdcustomfields4orders) from Cleanpresta.com for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-25839] Exposure of Sensitive Information to an Unauthorized Actor in Webbax - Super Newsletter module for PrestaShop
In the module “Super Newsletter” (supernewsletter) up to version 1.4.21 (DANGER : all versions) from Webbax for PrestaShop, a guest can access a secret of PrestaShop.
-
[CVE-2024-25844] Exposure of Private Personal Information to an Unauthorized Actor in Common-Services - So Flexibilite module for PrestaShop
In the module “So Flexibilite” (soflexibilite) up to version 4.1.14 from Common-Services for PrestaShop, a guest can steal login / password to access the web portal https://www.colissimo.entreprise.laposte.fr/ and download all customer datas such as name / surname / postal address / phone.
-
[CVE-2024-25847] Improper neutralization of SQL parameter in MyPrestaModules - Product Catalog (CSV, Excel) Import module for PrestaShop
In the module “Product Catalog (CSV, Excel) Import” (simpleimportproduct) up to version 6.7.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-26469] Server-Side Request Forgery (SSRF) in Tunis Soft - Product Designer for PrestaShop
In the module “Product Designer” (productdesigner) up to version 1.178.36 from Tunis Soft for PrestaShop, an anonymous user can perform a Server-Side Request Forgery (SSRF) in affected versions.
-
[CVE-2024-24302] Deserialization of Untrusted Data in Tunis Soft - Product Designer module for PrestaShop
In the module “Product Designer” (productdesigner) up to version 1.178.36 from Tunis Soft for PrestaShop, a guest can execute a remote code via un untrusted data deserialized.
-
[CVE-2024-24307] Improper Limitation of a Pathname to a Restricted Directory in Tunis Soft - Product Designer module for PrestaShop
In the module “Product Designer” (productdesigner) up to version 1.178.36 from Tunis Soft for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.