Search for packages
| purl | pkg:composer/prestashop/prestashop@1.7.6.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1trs-ajxn-jkhk
Aliases: CVE-2025-51586 GHSA-8xx5-h6m3-jr33 |
Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/ |
Affected by 1 other vulnerability. |
|
VCID-22v3-9qr1-pyfg
Aliases: CVE-2023-39529 GHSA-2rf5-3fw8-qm47 |
PrestaShop file deletion via attachment API PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-2kkx-8ucb-7ucj
Aliases: CVE-2023-30838 GHSA-fh7r-996q-gvcp |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue. |
Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-45hk-m7uv-zqfe
Aliases: CVE-2023-30545 GHSA-8r4m-5p6p-52rp |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, it is possible for a user with access to the SQL Manager (Advanced Options -> Database) to arbitrarily read any file on the operating system when using SQL function `LOAD_FILE` in a `SELECT` request. This gives the user access to critical information. A patch is available in PrestaShop 8.0.4 and PS 1.7.8.9 |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-7wj5-37ma-hbhg
Aliases: CVE-2023-39530 GHSA-v4gr-v679-42p7 |
Improper Input Validation PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-8beq-8rca-mbhd
Aliases: CVE-2023-39524 GHSA-75p5-jwx4-qw9h |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-9n6p-8b89-63c6
Aliases: CVE-2023-30839 GHSA-p379-cxqh-q822 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds. |
Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-bmyy-gqbc-ybhz
Aliases: CVE-2021-43789 GHSA-6xxj-gcjq-wgf4 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. The problem is fixed in version 1.7.8.2. |
Affected by 1 other vulnerability. |
|
VCID-c4g5-t8vx-syax
Aliases: CVE-2023-39528 GHSA-hpf4-v7v2-95p2 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-cf1h-m5xj-mfc5
Aliases: CVE-2026-25597 GHSA-67v7-3g49-mxh2 |
PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ey36-u4qn-gbge
Aliases: CVE-2023-43664 GHSA-gvrg-62jp-rf7j |
Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` does not check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-f4m9-pgg8-nqa3
Aliases: CVE-2024-21628 GHSA-vr7m-r9vm-m4wf |
PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO) ### Impact The isCleanHtml method is not used on this this form, which makes it possible to store an xss in DB. The impact is low because the html is not interpreted in BO, thanks to twig's escape mechanism. In FO, the xss is effective, but only impacts the customer sending it, or the customer session from which it was sent. Be careful if you have a module fetching these messages from the DB and displaying it without escaping html. ### Patches 8.1.x ### Reporter Reported by Rona Febriana (linkedin: https://www.linkedin.com/in/rona-febriana/) |
Affected by 4 other vulnerabilities. |
|
VCID-f7s4-16b7-zkcm
Aliases: CVE-2023-39526 GHSA-gf46-prm4-56pc |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 is vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-fkcb-5u24-wqbg
Aliases: CVE-2024-21627 GHSA-xgpm-q3mq-46rq |
PrestaShop some attribute not escaped in Validate::isCleanHTML method ### Description Some event attributes are not detected by the isCleanHTML method ### Impact Some modules using the isCleanHTML method could be vulnerable to xss ### Patches 8.1.3, 1.7.8.11 ### Workarounds The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. ### Reporters Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub). |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-gggb-dges-qke1
Aliases: CVE-2023-25170 GHSA-3g43-x7qr-96ph |
Cross-Site Request Forgery (CSRF) PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1. |
Affected by 16 other vulnerabilities. |
|
VCID-ghu1-c6e6-pudm
Aliases: CVE-2022-21686 GHSA-mrq4-7ch7-2465 |
Improper Control of Generation of Code ('Code Injection') PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-htkt-tj6d-hydx
Aliases: CVE-2022-46158 GHSA-9qgp-9wwc-v29r GMS-2022-8006 |
PrestaShop has potential Information exposure in the upload directory ### Impact Potential Information exposure in the upload directory. ### Patches Patch in PrestaShop 1.7.8.8 ### References https://capec.mitre.org/data/definitions/87.html Thanks to DZPATROL |
Affected by 14 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-keyj-v83x-nkck
Aliases: CVE-2023-43663 GHSA-6jmf-2pfc-q9m7 |
Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-kwe1-5ukw-cbau
Aliases: CVE-2023-39527 GHSA-xw2r-f8xv-c8xp |
Improper Encoding or Escaping of Output PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 is vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. |
Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-mb3x-p2d7-gqdx
Aliases: CVE-2023-39525 GHSA-m9r4-3fg7-pqm2 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-qx7c-y2p8-vye9
Aliases: CVE-2023-31508 GHSA-6mhc-hqr3-w466 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A cross-site scripting (XSS) vulnerability in PrestaShop v1.7.7.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter in /contactform/contactform.php. |
Affected by 21 other vulnerabilities. |
|
VCID-vcuy-9cdj-uyhz
Aliases: CVE-2022-31181 GHSA-hrgx-p36p-89q4 GMS-2022-3270 |
PrestaShop eval injection possible if shop vulnerable to SQL injection ### Impact Eval injection possible if the shop is vulnerable to an SQL injection. ### Patches The problem is fixed in version 1.7.8.7 ### Workarounds Delete the MySQL Smarty cache feature by removing these lines in the file `config/smarty.config.inc.php` lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6): ```php if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') { include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php'; $smarty->caching_type = 'mysql'; } ``` |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-g8wq-cvqc-9kfr | Cross-site Scripting In PrestaShop, the `shop_country` parameter in the `install/index.Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. |
CVE-2019-11876
GHSA-6grv-hw8g-4gfm |