-
[CVE-2024-25839] Exposure of Sensitive Information to an Unauthorized Actor in Webbax - Super Newsletter module for PrestaShop
In the module “Super Newsletter” (supernewsletter) up to version 1.4.21 (DANGER : all versions) from Webbax for PrestaShop, a guest can access a secret of PrestaShop.
-
[CVE-2024-25844] Exposure of Private Personal Information to an Unauthorized Actor in Common-Services - So Flexibilite module for PrestaShop
In the module “So Flexibilite” (soflexibilite) up to version 4.1.14 from Common-Services for PrestaShop, a guest can steal login / password to access the web portal https://www.colissimo.entreprise.laposte.fr/ and download all customer datas such as name / surname / postal address / phone.
-
[CVE-2024-25847] Improper neutralization of SQL parameter in MyPrestaModules - Product Catalog (CSV, Excel) Import module for PrestaShop
In the module “Product Catalog (CSV, Excel) Import” (simpleimportproduct) up to version 6.7.0 from MyPrestaModules for PrestaShop, a guest can perform SQL injection in affected versions.
-
[CVE-2024-26469] Server-Side Request Forgery (SSRF) in Tunis Soft - Product Designer for PrestaShop
In the module “Product Designer” (productdesigner) up to version 1.178.36 from Tunis Soft for PrestaShop, an anonymous user can perform a Server-Side Request Forgery (SSRF) in affected versions.
-
[CVE-2024-24302] Deserialization of Untrusted Data in Tunis Soft - Product Designer module for PrestaShop
In the module “Product Designer” (productdesigner) up to version 1.178.36 from Tunis Soft for PrestaShop, a guest can execute a remote code via un untrusted data deserialized.
-
[CVE-2024-24307] Improper Limitation of a Pathname to a Restricted Directory in Tunis Soft - Product Designer module for PrestaShop
In the module “Product Designer” (productdesigner) up to version 1.178.36 from Tunis Soft for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.
-
[CVE-2024-25842] External Control of File Name or Path in Presta World - Account Manager - Sales Representative & Dealers - CRM module for PrestaShop
In the module “Account Manager - Sales Representative & Dealers - CRM” (prestasalesmanager) up to version 8.0.0 from Presta World for PrestaShop, a guest can delete all files of the system.
-
[CVE-2024-25841] Improper Neutralization of Input During Web Page Generation in Common-Services - So Flexibilite module for PrestaShop
In the module “So Flexibilite” (soflexibilite) up to version 4.1.14 from Common-Services for PrestaShop, a guest (authenticated customer) can perform XSS injection of type 2 (Stored XSS) from FRONT to BACK (F2B) within the funnel order in affected versions.
-
[CVE-2024-25846] Unrestricted Upload of File with Dangerous Type in MyPrestaModules - Product Catalog (CSV, Excel) Import module for PrestaShop
In the module “Product Catalog (CSV, Excel) Import” (simpleimportproduct) up to version 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.
-
[CVE-2024-25840] Improper Limitation of a Pathname to a Restricted Directory in Presta World - Account Manager - Sales Representative & Dealers - CRM module for PrestaShop
In the module “Account Manager - Sales Representative & Dealers - CRM” (prestasalesmanager) up to version 8.0.0 from Presta World for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.