Check CVE Id
Check CWE Id
In the orders section of PrestaShop before 188.8.131.52, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object chain in order to gain Remote Code Execution. This occurs because protection against serialized objects looks for a 0: followed by an integer, but does not consider 0:+ followed by an integer.
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).
PrestaShop 1.6.x before 184.108.40.206 and 1.7.x before 220.127.116.11 allows remote attackers to execute arbitrary code via a file upload.
PrestaShop 1.6.x before 18.104.22.168 and 1.7.x before 22.214.171.124 allows remote attackers to delete an image directory.
PrestaShop 1.6.x before 126.96.36.199 and 1.7.x before 188.8.131.52 on Windows allows remote attackers to write to arbitrary image files.
PrestaShop before 184.108.40.206 and 1.7.x before 220.127.116.11 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 18.104.22.168 through 22.214.171.124 allows remote attackers to execute a SQL Injection through function calls in the code parameter.
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 126.96.36.199 through 188.8.131.52 allows remote attackers to execute arbitrary PHP code via the code parameter.
In PrestaShop through 184.108.40.206, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values.
PrestaShop 220.127.116.11 allows user enumeration via the Reset Password feature, by noticing which reset attempts do not produce a "This account does not exist" error message.
Back to Top