Search for packages
| purl | pkg:composer/prestashop/prestashop@8.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1trs-ajxn-jkhk
Aliases: CVE-2025-51586 GHSA-8xx5-h6m3-jr33 |
Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/ |
Affected by 1 other vulnerability. |
|
VCID-22v3-9qr1-pyfg
Aliases: CVE-2023-39529 GHSA-2rf5-3fw8-qm47 |
PrestaShop file deletion via attachment API PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-5s8z-4eqn-p7h7
Aliases: CVE-2024-26129 GHSA-3366-9287-7qpr |
### Impact Path disclosure in JavaScript variable ### Patches Patch in PrestaShop 8.1.4 ### References https://owasp.org/www-community/attacks/Full_Path_Disclosure Thanks to https://github.com/hugo-fasone |
Affected by 3 other vulnerabilities. |
|
VCID-7wj5-37ma-hbhg
Aliases: CVE-2023-39530 GHSA-v4gr-v679-42p7 |
Improper Input Validation PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-8beq-8rca-mbhd
Aliases: CVE-2023-39524 GHSA-75p5-jwx4-qw9h |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-c4g5-t8vx-syax
Aliases: CVE-2023-39528 GHSA-hpf4-v7v2-95p2 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-cf1h-m5xj-mfc5
Aliases: CVE-2026-25597 GHSA-67v7-3g49-mxh2 |
PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ey36-u4qn-gbge
Aliases: CVE-2023-43664 GHSA-gvrg-62jp-rf7j |
Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` does not check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-f4m9-pgg8-nqa3
Aliases: CVE-2024-21628 GHSA-vr7m-r9vm-m4wf |
PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO) ### Impact The isCleanHtml method is not used on this this form, which makes it possible to store an xss in DB. The impact is low because the html is not interpreted in BO, thanks to twig's escape mechanism. In FO, the xss is effective, but only impacts the customer sending it, or the customer session from which it was sent. Be careful if you have a module fetching these messages from the DB and displaying it without escaping html. ### Patches 8.1.x ### Reporter Reported by Rona Febriana (linkedin: https://www.linkedin.com/in/rona-febriana/) |
Affected by 4 other vulnerabilities. |
|
VCID-f7s4-16b7-zkcm
Aliases: CVE-2023-39526 GHSA-gf46-prm4-56pc |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 is vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-fkcb-5u24-wqbg
Aliases: CVE-2024-21627 GHSA-xgpm-q3mq-46rq |
PrestaShop some attribute not escaped in Validate::isCleanHTML method ### Description Some event attributes are not detected by the isCleanHTML method ### Impact Some modules using the isCleanHTML method could be vulnerable to xss ### Patches 8.1.3, 1.7.8.11 ### Workarounds The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. ### Reporters Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub). |
Affected by 4 other vulnerabilities. |
|
VCID-keyj-v83x-nkck
Aliases: CVE-2023-43663 GHSA-6jmf-2pfc-q9m7 |
Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-kwe1-5ukw-cbau
Aliases: CVE-2023-39527 GHSA-xw2r-f8xv-c8xp |
Improper Encoding or Escaping of Output PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 is vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-mb3x-p2d7-gqdx
Aliases: CVE-2023-39525 GHSA-m9r4-3fg7-pqm2 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-ws23-cmum-kyh6
Aliases: CVE-2024-34716 GHSA-45vm-3j38-7p78 |
PrestaShop cross-site scripting via customer contact form in FO, through file upload ### Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. Consequence: the script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. ### Patches This vulnerability is patched in 8.1.6. ### Workarounds As long as you have not upgraded to 8.1.6, a simple workaround is to disable the customer-thread feature-flag. Thank you to Ayoub AIT ELMOKHTAR, who discovered this vulnerability and share it with the PrestaShop team. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||