Filtered by vendor Prestashop
Subscribe
Total
126 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-61924 | 1 Prestashop | 1 Prestashop Checkout | 2025-12-29 | N/A | 3.8 LOW |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the Target PayPal merchant account hijacking from backoffice due to wrong usage of the PHP array_search(). The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2025-61922 | 1 Prestashop | 1 Prestashop Checkout | 2025-12-29 | N/A | 9.1 CRITICAL |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2025-61923 | 1 Prestashop | 1 Prestashop Checkout | 2025-12-29 | N/A | 4.1 MEDIUM |
| PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. In versions prior to 4.4.1 and 5.0.5, the backoffice is missing validation on input resulting in a directory traversal and arbitrary file disclosure. The vulnerability is fixed in versions 4.4.1 and 5.0.5. No known workarounds exist. | |||||
| CVE-2024-28392 | 1 Prestashop | 1 Abandoned Cart Reminder Pro | 2025-09-18 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability in pscartabandonmentpro v.2.0.11 and before allows a remote attacker to escalate privileges via the pscartabandonmentproFrontCAPUnsubscribeJobModuleFrontController::setEmailVisualized() method. | |||||
| CVE-2024-36626 | 1 Prestashop | 1 Prestashop | 2025-09-15 | N/A | 5.3 MEDIUM |
| In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php. | |||||
| CVE-2025-51586 | 1 Prestashop | 1 Prestashop | 2025-09-12 | N/A | 3.7 LOW |
| An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. | |||||
| CVE-2025-25691 | 1 Prestashop | 1 Prestashop | 2025-08-06 | N/A | 6.5 MEDIUM |
| A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2025-25692 | 1 Prestashop | 1 Prestashop | 2025-08-06 | N/A | 6.5 MEDIUM |
| A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2023-48926 | 1 Prestashop | 1 Advanced Loyalty Program | 2025-06-02 | N/A | 5.3 MEDIUM |
| An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status. | |||||
| CVE-2024-25843 | 1 Prestashop | 1 Import\/update Bulk Product | 2025-05-15 | N/A | 9.8 CRITICAL |
| In the module "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) up to version 1.1.28 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions. | |||||
| CVE-2012-6641 | 1 Prestashop | 1 Prestashop | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in redirect.php in the Socolissimo module (modules/socolissimo/) in PrestaShop before 1.4.7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to "parameter names and values." | |||||
| CVE-2015-1175 | 1 Prestashop | 1 Prestashop | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the layered_price_slider parameter. | |||||
| CVE-2012-5800 | 1 Prestashop | 2 Ebay Module, Prestashop | 2025-04-11 | 5.8 MEDIUM | N/A |
| The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2012-5799 | 2 Prestashop, Presto-changeo | 2 Prestashop, Canadapost | 2025-04-11 | 5.8 MEDIUM | N/A |
| The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. | |||||
| CVE-2011-4544 | 1 Prestashop | 1 Prestashop | 2025-04-11 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville, (6) CP, (7) Poids, (8) Action, or (9) num parameter to prestashop/modules/mondialrelay/googlemap.php; (10) the num_mode parameter to modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) the Expedition parameter to modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php; or the (12) folder or (13) name parameter to admin/ajaxfilemanager/ajax_save_text.php. | |||||
| CVE-2011-4545 | 1 Prestashop | 1 Prestashop | 2025-04-11 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter. | |||||
| CVE-2011-3796 | 1 Prestashop | 1 Prestashop | 2025-04-11 | 5.0 MEDIUM | N/A |
| PrestaShop 1.4.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by product-sort.php and certain other files. | |||||
| CVE-2012-5801 | 1 Prestashop | 2 Ebay, Prestashop | 2025-04-11 | 5.8 MEDIUM | N/A |
| The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. | |||||
| CVE-2008-5791 | 1 Prestashop | 1 Prestashop | 2025-04-09 | 10.0 HIGH | N/A |
| Multiple unspecified vulnerabilities in PrestaShop e-Commerce Solution before 1.1 Beta 2 (aka 1.1.0.1) have unknown impact and attack vectors, related to the (1) bankwire module, (2) cheque module, and other components. | |||||
| CVE-2008-6503 | 1 Prestashop | 1 Prestashop | 2025-04-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in PrestaShop 1.1.0.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin/login.php and (2) order.php. | |||||