Filtered by vendor Prestashop
Subscribe
Total
129 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-6641 | 1 Prestashop | 1 Prestashop | 2026-05-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4.7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to "parameter names and values." | |||||
| CVE-2015-1175 | 1 Prestashop | 1 Prestashop | 2026-05-06 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the layered_price_slider parameter. | |||||
| CVE-2012-5800 | 1 Prestashop | 2 Ebay Module, Prestashop | 2026-04-29 | 5.8 MEDIUM | N/A |
| The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2012-5799 | 2 Prestashop, Presto-changeo | 2 Prestashop, Canadapost | 2026-04-29 | 5.8 MEDIUM | N/A |
| The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. | |||||
| CVE-2011-4544 | 1 Prestashop | 1 Prestashop | 2026-04-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville, (6) CP, (7) Poids, (8) Action, or (9) num parameter to prestashop/modules/mondialrelay/googlemap.php; (10) the num_mode parameter to modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) the Expedition parameter to modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php; or the (12) folder or (13) name parameter to admin/ajaxfilemanager/ajax_save_text.php. | |||||
| CVE-2011-4545 | 1 Prestashop | 1 Prestashop | 2026-04-29 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter. | |||||
| CVE-2011-3796 | 1 Prestashop | 1 Prestashop | 2026-04-29 | 5.0 MEDIUM | N/A |
| PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by product-sort.php and certain other files. | |||||
| CVE-2012-5801 | 1 Prestashop | 2 Ebay, Prestashop | 2026-04-29 | 5.8 MEDIUM | N/A |
| The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. | |||||
| CVE-2008-5791 | 1 Prestashop | 1 Prestashop | 2026-04-23 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution before 1.1 Beta 2 (aka 1.1.0.1) have unknown impact and attack vectors, related to the (1) bankwire module, (2) cheque module, and other components. | |||||
| CVE-2008-6503 | 1 Prestashop | 1 Prestashop | 2026-04-23 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php. | |||||
| CVE-2026-33673 | 1 Prestashop | 1 Prestashop | 2026-04-01 | N/A | 7.6 HIGH |
| PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available. | |||||
| CVE-2026-33674 | 1 Prestashop | 1 Prestashop | 2026-04-01 | N/A | 2.0 LOW |
| PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available. | |||||
| CVE-2026-25597 | 1 Prestashop | 1 Prestashop | 2026-02-19 | N/A | 5.3 MEDIUM |
| PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3. | |||||
| CVE-2025-61924 | 1 Prestashop | 1 Prestashop Checkout | 2025-12-29 | N/A | 3.8 LOW |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2025-61922 | 1 Prestashop | 1 Prestashop Checkout | 2025-12-29 | N/A | 9.1 CRITICAL |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2025-61923 | 1 Prestashop | 1 Prestashop Checkout | 2025-12-29 | N/A | 4.1 MEDIUM |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2024-28392 | 1 Prestashop | 1 Abandoned Cart Reminder Pro | 2025-09-18 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in pscartabandonmentpro v.2.0.11 and before allows a remote attacker to escalate privileges via the pscartabandonmentproFrontCAPUnsubscribeJobModuleFrontController::setEmailVisualized() method. | |||||
| CVE-2024-36626 | 1 Prestashop | 1 Prestashop | 2025-09-15 | N/A | 5.3 MEDIUM |
| In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. | |||||
| CVE-2025-51586 | 1 Prestashop | 1 Prestashop | 2025-09-12 | N/A | 3.7 LOW |
| An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. | |||||
| CVE-2025-25691 | 1 Prestashop | 1 Prestashop | 2025-08-06 | N/A | 6.5 MEDIUM |
| A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | |||||