Search for packages
| purl | pkg:composer/prestashop/prestashop@8.1.0-beta.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1trs-ajxn-jkhk
Aliases: CVE-2025-51586 GHSA-8xx5-h6m3-jr33 |
Presta Shop vulnerable to email enumeration ### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/ |
Affected by 1 other vulnerability. |
|
VCID-22v3-9qr1-pyfg
Aliases: CVE-2023-39529 GHSA-2rf5-3fw8-qm47 |
PrestaShop file deletion via attachment API PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete a file from the server by using the Attachments controller and the Attachments API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-7wj5-37ma-hbhg
Aliases: CVE-2023-39530 GHSA-v4gr-v679-42p7 |
Improper Input Validation PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, it is possible to delete files from the server via the CustomerMessage API. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-8beq-8rca-mbhd
Aliases: CVE-2023-39524 GHSA-75p5-jwx4-qw9h |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-c4g5-t8vx-syax
Aliases: CVE-2023-39528 GHSA-hpf4-v7v2-95p2 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, the `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
|
VCID-cf1h-m5xj-mfc5
Aliases: CVE-2026-25597 GHSA-67v7-3g49-mxh2 |
PrestaShop affected by time based enumeration in FO login form ### Impact A time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. ### Patches 8.2.4 and 9.0.3 ### Workarounds none ### References Found by Lam Yiu Tung |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ey36-u4qn-gbge
Aliases: CVE-2023-43664 GHSA-gvrg-62jp-rf7j |
Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` does not check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-f4m9-pgg8-nqa3
Aliases: CVE-2024-21628 GHSA-vr7m-r9vm-m4wf |
PrestaShop XSS can be stored in DB from "add a message form" in order detail page (FO) ### Impact The isCleanHtml method is not used on this this form, which makes it possible to store an xss in DB. The impact is low because the html is not interpreted in BO, thanks to twig's escape mechanism. In FO, the xss is effective, but only impacts the customer sending it, or the customer session from which it was sent. Be careful if you have a module fetching these messages from the DB and displaying it without escaping html. ### Patches 8.1.x ### Reporter Reported by Rona Febriana (linkedin: https://www.linkedin.com/in/rona-febriana/) |
Affected by 4 other vulnerabilities. |
|
VCID-fkcb-5u24-wqbg
Aliases: CVE-2024-21627 GHSA-xgpm-q3mq-46rq |
PrestaShop some attribute not escaped in Validate::isCleanHTML method ### Description Some event attributes are not detected by the isCleanHTML method ### Impact Some modules using the isCleanHTML method could be vulnerable to xss ### Patches 8.1.3, 1.7.8.11 ### Workarounds The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. ### Reporters Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub). |
Affected by 4 other vulnerabilities. |
|
VCID-keyj-v83x-nkck
Aliases: CVE-2023-43663 GHSA-6jmf-2pfc-q9m7 |
Improper Privilege Management PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue. |
Affected by 6 other vulnerabilities. |
|
VCID-mb3x-p2d7-gqdx
Aliases: CVE-2023-39525 GHSA-m9r4-3fg7-pqm2 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2kkx-8ucb-7ucj | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') PrestaShop is an Open Source e-commerce web application. Prior to versions 8.0.4 and 1.7.8.9, the `ValidateCore::isCleanHTML()` method of Prestashop misses hijackable events which can lead to cross-site scripting (XSS) injection, allowed by the presence of pre-setup `@keyframes` methods. This XSS, which hijacks HTML attributes, can be triggered without any interaction by the visitor/administrator, which makes it as dangerous as a trivial XSS attack. Contrary to other attacks which target HTML attributes and are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope. Versions 8.0.4 and 1.7.8.9 contain a fix for this issue. |
CVE-2023-30838
GHSA-fh7r-996q-gvcp |
| VCID-9n6p-8b89-63c6 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds. |
CVE-2023-30839
GHSA-p379-cxqh-q822 |