IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
-
[CVE-2024-25842] External Control of File Name or Path in Presta World - Account Manager - Sales Representative & Dealers - CRM module for PrestaShop
In the module “Account Manager - Sales Representative & Dealers - CRM” (prestasalesmanager) up to version 8.0.0 from Presta World for PrestaShop, a guest can delete all files of the system.
-
[CVE-2024-25841] Improper Neutralization of Input During Web Page Generation in Common-Services - So Flexibilite module for PrestaShop
In the module “So Flexibilite” (soflexibilite) up to version 4.1.14 from Common-Services for PrestaShop, a guest (authenticated customer) can perform XSS injection of type 2 (Stored XSS) from FRONT to BACK (F2B) within the funnel order in affected versions.
-
[CVE-2024-25846] Unrestricted Upload of File with Dangerous Type in MyPrestaModules - Product Catalog (CSV, Excel) Import module for PrestaShop
In the module “Product Catalog (CSV, Excel) Import” (simpleimportproduct) up to version 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.
-
[CVE-2024-25840] Improper Limitation of a Pathname to a Restricted Directory in Presta World - Account Manager - Sales Representative & Dealers - CRM module for PrestaShop
In the module “Account Manager - Sales Representative & Dealers - CRM” (prestasalesmanager) up to version 8.0.0 from Presta World for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
-
[CVE-2024-25843] Improper neutralization of SQL parameter in Buy Addons - Import/Update Bulk Product from any Csv/Excel File Pro module for PrestaShop
In the module “Import/Update Bulk Product from any Csv/Excel File Pro” (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-24309] Exposure of Sensitive Information to an Unauthorized Actor in Ecomiz - Survey TMA module for PrestaShop
In the module “Survey TMA” (ecomiz_survey_tma) up to version 2.0.0 from Ecomiz for PrestaShop, a guest can download technical information without restriction.
-
[CVE-2024-24310] Improper neutralization of SQL parameter in Ether Création - Generate barcode on invoice / delivery slip module for PrestaShop
In the module “Generate barcode on invoice / delivery slip” (ecgeneratebarcode) up to version 1.2.0 from Ether Création for PrestaShop, a guest can perform SQL injection in affected versions if the module is not installed OR if a secret accessible to administrator is stolen.
-
[CVE-2023-50061] Improper neutralization of SQL parameter in Opart Easy Redirect for PrestaShop
In the module “Opart Easy Redirect” (oparteasyredirect) up to version 1.3.12 from Opart for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-46350] Improper neutralization of SQL parameter in InnovaDeluxe - Manufacturer or supplier alphabetical search module for PrestaShop
In the module “Manufacturer or supplier alphabetical search” (idxrmanufacturer) up to version 2.0.4 from InnovaDeluxe for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2023-50026] Improper neutralization of SQL parameter in Presta Monster - Multi Accessories Pro module for PrestaShop
In the module “Multi Accessories Pro” (hsmultiaccessoriespro) up to version 5.2.0 from Presta Monster for PrestaShop, a guest can perform SQL injection in affected versions.