Security Advisories - prestashop/prestashop

prestashop/prestashop Security Advisories for 8.1.0 (13)

[CRITICAL] PrestaShop cross-site scripting via customer contact form in FO, through file upload

PKSA-rpv3-t4jm-bhkm CVE-2024-34716 GHSA-45vm-3j38-7p78

Affected version: >=8.1.0,<8.1.6

Reported by:
GitHub
[MEDIUM] Path disclosure in JavaScript variable

PKSA-p3pd-yr3j-9ty2 CVE-2024-26129 GHSA-3366-9287-7qpr

Affected version: >=8.1.0,<8.1.4

Reported by:
GitHub
[MEDIUM] PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO)

PKSA-8wzq-y3v5-3bpw CVE-2024-21628 GHSA-vr7m-r9vm-m4wf

Affected version: <8.1.3

Reported by:
GitHub
[HIGH] PrestaShop some attribute not escaped in Validate::isCleanHTML method

PKSA-vxgv-fr1x-84x2 CVE-2024-21627 GHSA-xgpm-q3mq-46rq

Affected version: <1.7.8.11|>=8.0.0-beta.1,<8.1.3

Reported by:
GitHub
[MEDIUM] PrestaShop allows users to uninstall modules from backoffice, even with low rights

PKSA-1fhp-3jw8-ythx CVE-2023-43663 GHSA-6jmf-2pfc-q9m7

Affected version: <8.1.2

Reported by:
GitHub
[MEDIUM] PrestaShop allows employee without any access rights to list all installed modules

PKSA-6bxt-gn43-6f15 CVE-2023-43664 GHSA-gvrg-62jp-rf7j

Affected version: <8.1.2

Reported by:
GitHub
[MEDIUM] PrestaShop file deletion via CustomerMessage

PKSA-sm6p-36y9-kbwc CVE-2023-39530 GHSA-v4gr-v679-42p7

Affected version: <=8.1.0

Reported by:
GitHub
[MEDIUM] PrestaShop file deletion via attachment API

PKSA-jq67-q75p-gwt1 CVE-2023-39529 GHSA-2rf5-3fw8-qm47

Affected version: <=8.1.0

Reported by:
GitHub
[MEDIUM] PrestaShop file access through path traversal

PKSA-k56r-q35x-6nfw CVE-2023-39528 GHSA-hpf4-v7v2-95p2

Affected version: <=8.1.0

Reported by:
GitHub
[HIGH] PrestaShop XSS injection through Validate::isCleanHTML method

PKSA-fd9b-yzvb-7sj4 CVE-2023-39527 GHSA-xw2r-f8xv-c8xp

Affected version: <1.7.8.10|>=8.0.0,<8.0.5|=8.1.0

Reported by:
GitHub
[CRITICAL] PrestaShop SQL manager vulnerability

PKSA-zrh4-j94n-k8t7 CVE-2023-39526 GHSA-gf46-prm4-56pc

Affected version: <1.7.8.10|>=8.0.0,<8.0.5|=8.1.0

Reported by:
GitHub
[MEDIUM] PrestaShop path traversal

PKSA-2smq-v1p5-hrvm CVE-2023-39525 GHSA-m9r4-3fg7-pqm2

Affected version: <=8.1.0

Reported by:
GitHub
[MEDIUM] PrestaShop boolean SQL injection

PKSA-4s5f-735j-vn8c CVE-2023-39524 GHSA-75p5-jwx4-qw9h

Affected version: <=8.1.0

Reported by:
GitHub

prestashop/prestashop Security Advisories for 8.1.0 (13)

[CRITICAL] PrestaShop cross-site scripting via customer contact form in FO, through file upload

[MEDIUM] Path disclosure in JavaScript variable

[MEDIUM] PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO)

[HIGH] PrestaShop some attribute not escaped in Validate::isCleanHTML method

[MEDIUM] PrestaShop allows users to uninstall modules from backoffice, even with low rights

[MEDIUM] PrestaShop allows employee without any access rights to list all installed modules

[MEDIUM] PrestaShop file deletion via CustomerMessage

[MEDIUM] PrestaShop file deletion via attachment API

[MEDIUM] PrestaShop file access through path traversal

[HIGH] PrestaShop XSS injection through Validate::isCleanHTML method

[CRITICAL] PrestaShop SQL manager vulnerability

[MEDIUM] PrestaShop path traversal

[MEDIUM] PrestaShop boolean SQL injection