Search
Find a vulnerability
Search criteria
190 vulnerabilities found for PrestaShop by PrestaShop
CVE-2026-44212 (GCVE-0-2026-44212)
Vulnerability from nvd – Published: 2026-05-14 20:44 – Updated: 2026-05-15 13:34
VLAI
Title
PrestaShop: Stored XSS executable in customer service view
Summary
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.2.6
Affected: >= 9.0.0-alpha.1, < 9.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T13:33:59.708001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T13:34:09.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.2.6"
},
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T20:44:08.152Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-w9f3-qc75-qgx9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-w9f3-qc75-qgx9"
}
],
"source": {
"advisory": "GHSA-w9f3-qc75-qgx9",
"discovery": "UNKNOWN"
},
"title": "PrestaShop: Stored XSS executable in customer service view"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44212",
"datePublished": "2026-05-14T20:44:08.152Z",
"dateReserved": "2026-05-05T15:13:47.571Z",
"dateUpdated": "2026-05-15T13:34:09.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33674 (GCVE-0-2026-33674)
Vulnerability from nvd – Published: 2026-03-26 21:42 – Updated: 2026-03-30 11:44
VLAI
Title
PrestaShop: Improper Use of Validation Framework
Summary
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1173 - Improper Use of Validation Framework
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.2.5
Affected: >= 9.0.0-alpha.1, < 9.1.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T11:44:11.753537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T11:44:22.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.2.5"
},
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1173",
"description": "CWE-1173: Improper Use of Validation Framework",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T21:42:33.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0"
}
],
"source": {
"advisory": "GHSA-283w-xf3q-788v",
"discovery": "UNKNOWN"
},
"title": "PrestaShop: Improper Use of Validation Framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33674",
"datePublished": "2026-03-26T21:42:33.590Z",
"dateReserved": "2026-03-23T16:34:59.930Z",
"dateUpdated": "2026-03-30T11:44:22.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33673 (GCVE-0-2026-33673)
Vulnerability from nvd – Published: 2026-03-26 21:41 – Updated: 2026-03-27 20:27
VLAI
Title
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables
Summary
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 9.0.0-alpha.1, < 9.1.0
Affected: < 8.2.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:27:27.559622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:27:40.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.1.0"
},
{
"status": "affected",
"version": "\u003c 8.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T21:41:13.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0"
}
],
"source": {
"advisory": "GHSA-35pf-37c6-jxjv",
"discovery": "UNKNOWN"
},
"title": "PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33673",
"datePublished": "2026-03-26T21:41:13.249Z",
"dateReserved": "2026-03-23T16:34:59.930Z",
"dateUpdated": "2026-03-27T20:27:40.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25597 (GCVE-0-2026-25597)
Vulnerability from nvd – Published: 2026-02-06 20:47 – Updated: 2026-02-09 15:27
VLAI
Title
PrestaShop has a time based enumeration in FO login form
Summary
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.2.4
Affected: >= 9.0.0-alpha.1, < 9.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:22:00.831000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:54.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.2.4"
},
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:47:24.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3"
}
],
"source": {
"advisory": "GHSA-67v7-3g49-mxh2",
"discovery": "UNKNOWN"
},
"title": "PrestaShop has a time based enumeration in FO login form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25597",
"datePublished": "2026-02-06T20:47:24.793Z",
"dateReserved": "2026-02-03T01:02:46.717Z",
"dateUpdated": "2026-02-09T15:27:54.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-51586 (GCVE-0-2025-51586)
Vulnerability from nvd – Published: 2025-09-08 00:00 – Updated: 2025-09-08 17:50
VLAI
Summary
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-51586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T17:47:26.728568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T17:50:16.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T16:36:17.752Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://prestashop.com/"
},
{
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.1"
},
{
"url": "https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-51586",
"datePublished": "2025-09-08T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-09-08T17:50:16.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25692 (GCVE-0-2025-25692)
Vulnerability from nvd – Published: 2025-07-30 00:00 – Updated: 2025-07-30 18:55
VLAI
Summary
A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25692",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T18:54:33.959422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T18:55:36.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T16:48:03.674Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/PrestaShop/PrestaShop"
},
{
"url": "http://prestashop.com"
},
{
"url": "https://github.com/3em0/cve_repo/blob/main/preshop/CVE-2025-25692.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-25692",
"datePublished": "2025-07-30T00:00:00.000Z",
"dateReserved": "2025-02-07T00:00:00.000Z",
"dateUpdated": "2025-07-30T18:55:36.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25691 (GCVE-0-2025-25691)
Vulnerability from nvd – Published: 2025-07-30 00:00 – Updated: 2025-07-30 18:59
VLAI
Summary
A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T18:58:25.566269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T18:59:02.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T16:51:06.387Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/PrestaShop/PrestaShop"
},
{
"url": "http://prestashop.com"
},
{
"url": "http://dem0.com"
},
{
"url": "http://dem0.com/admin/index.php/improve/design/themes/import?_token=btRUtV2Om2noliZZjeFQZhlMY3gYivjABbPOjP91L6U"
},
{
"url": "https://github.com/3em0/cve_repo/blob/main/preshop/CVE-2025-25691.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-25691",
"datePublished": "2025-07-30T00:00:00.000Z",
"dateReserved": "2025-02-07T00:00:00.000Z",
"dateUpdated": "2025-07-30T18:59:02.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1230 (GCVE-0-2025-1230)
Vulnerability from nvd – Published: 2025-02-12 10:38 – Updated: 2025-02-12 16:07
VLAI
Title
Cross-Site Scripting (XSS) vulnerability in Prestashop
Summary
Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Prestashop | Prestashop |
Affected:
8.1.7
|
Date Public
2025-02-11 11:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:56:07.683783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:07:33.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Prestashop",
"vendor": "Prestashop",
"versions": [
{
"status": "affected",
"version": "8.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "David Aparicio Salcedo"
}
],
"datePublic": "2025-02-11T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through \u2018/\u0026lt;admin_directory\u0026gt;/index.php\u2019, affecting the \u2018link\u2019 parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through \u2018/\u003cadmin_directory\u003e/index.php\u2019, affecting the \u2018link\u2019 parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T10:38:08.379Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-vulnerability-prestashop"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The manufacturer is working on a fix for this vulnerability. It is recommended to update to the latest version available."
}
],
"value": "The manufacturer is working on a fix for this vulnerability. It is recommended to update to the latest version available."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-Site Scripting (XSS) vulnerability in Prestashop",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-1230",
"datePublished": "2025-02-12T10:38:08.379Z",
"dateReserved": "2025-02-11T12:01:22.175Z",
"dateUpdated": "2025-02-12T16:07:33.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36626 (GCVE-0-2024-36626)
Vulnerability from nvd – Published: 2024-11-29 00:00 – Updated: 2024-11-29 17:07
VLAI
Summary
In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prestashop | prestashop |
Affected:
8.1.4
cpe:2.3:a:prestashop:prestashop:8.1.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"status": "affected",
"version": "8.1.4"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-29T17:06:57.417720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T17:07:03.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T16:53:48.677Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prestashop/prestashop/commit/20fa542294da2cfa034a48041e292acaed0c2a7f"
},
{
"url": "https://github.com/PrestaShop/PrestaShop/blob/8.1.4/classes/Tools.php#L1774"
},
{
"url": "https://gist.github.com/1047524396/25c45b61a6374e0fdaf720c9863c6bcd"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-36626",
"datePublished": "2024-11-29T00:00:00.000Z",
"dateReserved": "2024-05-30T00:00:00.000Z",
"dateUpdated": "2024-11-29T17:07:03.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41651 (GCVE-0-2024-41651)
Vulnerability from nvd – Published: 2024-08-12 00:00 – Updated: 2024-10-09 17:54 Disputed
VLAI
Summary
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prestashop | prestashop |
Affected:
0 , ≤ 8.1.7
(custom)
cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T20:19:12.834457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T20:25:02.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T17:54:52.491Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Fckroun/CVE-2024-41651/tree/main"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41651",
"datePublished": "2024-08-12T00:00:00.000Z",
"dateReserved": "2024-07-18T00:00:00.000Z",
"dateUpdated": "2024-10-09T17:54:52.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34717 (GCVE-0-2024-34717)
Vulnerability from nvd – Published: 2024-05-14 15:47 – Updated: 2024-08-02 02:59
VLAI
Title
Anonymous PrestaShop customer can download other customers' invoices
Summary
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
= 8.1.5
|
|
| prestashop | prestashop |
Affected:
8.1.0 , < 8.1.6
(custom)
cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.6",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T13:22:48.091893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:41:41.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "= 8.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T15:47:27.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"source": {
"advisory": "GHSA-7pjr-2rgh-fc5g",
"discovery": "UNKNOWN"
},
"title": "Anonymous PrestaShop customer can download other customers\u0027 invoices"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34717",
"datePublished": "2024-05-14T15:47:27.265Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34716 (GCVE-0-2024-34716)
Vulnerability from nvd – Published: 2024-05-14 15:45 – Updated: 2024-08-02 02:59
VLAI
Title
PrestaShop vulnerable to XSS via customer contact form in FO, through file upload
Summary
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.
Severity
9.7 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 8.1.0, < 8.1.6
|
|
| prestashop | prestashop |
Affected:
8.1.0 , < 8.1.6
(custom)
cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.6",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T20:41:38.434859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T20:43:10.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator\u0027s right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T15:45:45.345Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"source": {
"advisory": "GHSA-45vm-3j38-7p78",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to XSS via customer contact form in FO, through file upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34716",
"datePublished": "2024-05-14T15:45:45.345Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26129 (GCVE-0-2024-26129)
Vulnerability from nvd – Published: 2024-02-19 21:59 – Updated: 2024-08-01 23:59
VLAI
Title
Prestashop vulnerable to path disclosure in JavaScript variable
Summary
PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/commit/4… | x_refsource_MISC |
| https://owasp.org/www-community/attacks/Full_Path… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 8.1.0, < 8.1.4
|
|
| prestashop | prestashop |
Affected:
8.1.0 , < 8.1.4
(custom)
cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:38:34.924222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:43:47.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"
},
{
"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T21:59:54.426Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"
},
{
"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure",
"tags": [
"x_refsource_MISC"
],
"url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"
}
],
"source": {
"advisory": "GHSA-3366-9287-7qpr",
"discovery": "UNKNOWN"
},
"title": "Prestashop vulnerable to path disclosure in JavaScript variable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26129",
"datePublished": "2024-02-19T21:59:54.426Z",
"dateReserved": "2024-02-14T17:40:03.687Z",
"dateUpdated": "2024-08-01T23:59:32.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21628 (GCVE-0-2024-21628)
Vulnerability from nvd – Published: 2024-01-02 21:17 – Updated: 2024-11-14 19:10
VLAI
Title
XSS can be stored in DB from "add a message form" in order detail page (FO)
Summary
PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/commit/c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.1.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-16T16:32:28.268211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:10:16.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig\u0027s escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T21:17:14.733Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597"
}
],
"source": {
"advisory": "GHSA-vr7m-r9vm-m4wf",
"discovery": "UNKNOWN"
},
"title": "XSS can be stored in DB from \"add a message form\" in order detail page (FO)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21628",
"datePublished": "2024-01-02T21:17:14.733Z",
"dateReserved": "2023-12-29T03:00:44.954Z",
"dateUpdated": "2024-11-14T19:10:16.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21627 (GCVE-0-2024-21627)
Vulnerability from nvd – Published: 2024-01-02 21:03 – Updated: 2025-06-03 14:45
VLAI
Title
Some attribute not escaped in Validate::isCleanHTML method
Summary
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/commit/7… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/commit/b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 8.0.0, < 8.1.3
Affected: < 1.7.8.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:48:20.023420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:45:21.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.1.3"
},
{
"status": "affected",
"version": "\u003c 1.7.8.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T21:03:17.816Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883"
}
],
"source": {
"advisory": "GHSA-xgpm-q3mq-46rq",
"discovery": "UNKNOWN"
},
"title": "Some attribute not escaped in Validate::isCleanHTML method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21627",
"datePublished": "2024-01-02T21:03:17.816Z",
"dateReserved": "2023-12-29T03:00:44.954Z",
"dateUpdated": "2025-06-03T14:45:21.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-44212 (GCVE-0-2026-44212)
Vulnerability from cvelistv5 – Published: 2026-05-14 20:44 – Updated: 2026-05-15 13:34
VLAI
Title
PrestaShop: Stored XSS executable in customer service view
Summary
PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.2.6
Affected: >= 9.0.0-alpha.1, < 9.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T13:33:59.708001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T13:34:09.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.2.6"
},
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.6 and 9.1.1, there is a stored Cross-Site Scripting (XSS) vulnerability in the PrestaShop back-office Customer Service view. An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover. This vulnerability is fixed in 8.2.6 and 9.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T20:44:08.152Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-w9f3-qc75-qgx9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-w9f3-qc75-qgx9"
}
],
"source": {
"advisory": "GHSA-w9f3-qc75-qgx9",
"discovery": "UNKNOWN"
},
"title": "PrestaShop: Stored XSS executable in customer service view"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44212",
"datePublished": "2026-05-14T20:44:08.152Z",
"dateReserved": "2026-05-05T15:13:47.571Z",
"dateUpdated": "2026-05-15T13:34:09.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33674 (GCVE-0-2026-33674)
Vulnerability from cvelistv5 – Published: 2026-03-26 21:42 – Updated: 2026-03-30 11:44
VLAI
Title
PrestaShop: Improper Use of Validation Framework
Summary
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1173 - Improper Use of Validation Framework
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.2.5
Affected: >= 9.0.0-alpha.1, < 9.1.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33674",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T11:44:11.753537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T11:44:22.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.2.5"
},
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1173",
"description": "CWE-1173: Improper Use of Validation Framework",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T21:42:33.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-283w-xf3q-788v"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0"
}
],
"source": {
"advisory": "GHSA-283w-xf3q-788v",
"discovery": "UNKNOWN"
},
"title": "PrestaShop: Improper Use of Validation Framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33674",
"datePublished": "2026-03-26T21:42:33.590Z",
"dateReserved": "2026-03-23T16:34:59.930Z",
"dateUpdated": "2026-03-30T11:44:22.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33673 (GCVE-0-2026-33673)
Vulnerability from cvelistv5 – Published: 2026-03-26 21:41 – Updated: 2026-03-27 20:27
VLAI
Title
PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables
Summary
PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 9.0.0-alpha.1, < 9.1.0
Affected: < 8.2.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:27:27.559622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:27:40.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.1.0"
},
{
"status": "affected",
"version": "\u003c 8.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulnerable to stored Cross-Site Scripting (stored XSS) vulnerabilities in the BO. An attacker who can inject data into the database, via limited back-office access or a previously existing vulnerability, can exploit unprotected variables in back-office templates. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T21:41:13.249Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-35pf-37c6-jxjv"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.5"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.1.0"
}
],
"source": {
"advisory": "GHSA-35pf-37c6-jxjv",
"discovery": "UNKNOWN"
},
"title": "PrestaShop has multiple stored XSS vulnerabilities via unprotected Template variables"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33673",
"datePublished": "2026-03-26T21:41:13.249Z",
"dateReserved": "2026-03-23T16:34:59.930Z",
"dateUpdated": "2026-03-27T20:27:40.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25597 (GCVE-0-2026-25597)
Vulnerability from cvelistv5 – Published: 2026-02-06 20:47 – Updated: 2026-02-09 15:27
VLAI
Title
PrestaShop has a time based enumeration in FO login form
Summary
PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.2.4
Affected: >= 9.0.0-alpha.1, < 9.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T15:22:00.831000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:27:54.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.2.4"
},
{
"status": "affected",
"version": "\u003e= 9.0.0-alpha.1, \u003c 9.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T20:47:24.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3"
}
],
"source": {
"advisory": "GHSA-67v7-3g49-mxh2",
"discovery": "UNKNOWN"
},
"title": "PrestaShop has a time based enumeration in FO login form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25597",
"datePublished": "2026-02-06T20:47:24.793Z",
"dateReserved": "2026-02-03T01:02:46.717Z",
"dateUpdated": "2026-02-09T15:27:54.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-51586 (GCVE-0-2025-51586)
Vulnerability from cvelistv5 – Published: 2025-09-08 00:00 – Updated: 2025-09-08 17:50
VLAI
Summary
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-51586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T17:47:26.728568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T17:50:16.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T16:36:17.752Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://prestashop.com/"
},
{
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.1"
},
{
"url": "https://maxime-morel.github.io/advisories/2025/CVE-2025-51586.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-51586",
"datePublished": "2025-09-08T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-09-08T17:50:16.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25691 (GCVE-0-2025-25691)
Vulnerability from cvelistv5 – Published: 2025-07-30 00:00 – Updated: 2025-07-30 18:59
VLAI
Summary
A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T18:58:25.566269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T18:59:02.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T16:51:06.387Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/PrestaShop/PrestaShop"
},
{
"url": "http://prestashop.com"
},
{
"url": "http://dem0.com"
},
{
"url": "http://dem0.com/admin/index.php/improve/design/themes/import?_token=btRUtV2Om2noliZZjeFQZhlMY3gYivjABbPOjP91L6U"
},
{
"url": "https://github.com/3em0/cve_repo/blob/main/preshop/CVE-2025-25691.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-25691",
"datePublished": "2025-07-30T00:00:00.000Z",
"dateReserved": "2025-02-07T00:00:00.000Z",
"dateUpdated": "2025-07-30T18:59:02.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25692 (GCVE-0-2025-25692)
Vulnerability from cvelistv5 – Published: 2025-07-30 00:00 – Updated: 2025-07-30 18:55
VLAI
Summary
A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-25692",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T18:54:33.959422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T18:55:36.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T16:48:03.674Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/PrestaShop/PrestaShop"
},
{
"url": "http://prestashop.com"
},
{
"url": "https://github.com/3em0/cve_repo/blob/main/preshop/CVE-2025-25692.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-25692",
"datePublished": "2025-07-30T00:00:00.000Z",
"dateReserved": "2025-02-07T00:00:00.000Z",
"dateUpdated": "2025-07-30T18:55:36.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1230 (GCVE-0-2025-1230)
Vulnerability from cvelistv5 – Published: 2025-02-12 10:38 – Updated: 2025-02-12 16:07
VLAI
Title
Cross-Site Scripting (XSS) vulnerability in Prestashop
Summary
Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through ‘/<admin_directory>/index.php’, affecting the ‘link’ parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Prestashop | Prestashop |
Affected:
8.1.7
|
Date Public
2025-02-11 11:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1230",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T14:56:07.683783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:07:33.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Prestashop",
"vendor": "Prestashop",
"versions": [
{
"status": "affected",
"version": "8.1.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "David Aparicio Salcedo"
}
],
"datePublic": "2025-02-11T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through \u2018/\u0026lt;admin_directory\u0026gt;/index.php\u2019, affecting the \u2018link\u2019 parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"value": "Stored Cross-Site Scripting (XSS) vulnerability in Prestashop 8.1.7, due to the lack of proper validation of user input through \u2018/\u003cadmin_directory\u003e/index.php\u2019, affecting the \u2018link\u2019 parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T10:38:08.379Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-vulnerability-prestashop"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The manufacturer is working on a fix for this vulnerability. It is recommended to update to the latest version available."
}
],
"value": "The manufacturer is working on a fix for this vulnerability. It is recommended to update to the latest version available."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-Site Scripting (XSS) vulnerability in Prestashop",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-1230",
"datePublished": "2025-02-12T10:38:08.379Z",
"dateReserved": "2025-02-11T12:01:22.175Z",
"dateUpdated": "2025-02-12T16:07:33.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36626 (GCVE-0-2024-36626)
Vulnerability from cvelistv5 – Published: 2024-11-29 00:00 – Updated: 2024-11-29 17:07
VLAI
Summary
In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prestashop | prestashop |
Affected:
8.1.4
cpe:2.3:a:prestashop:prestashop:8.1.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"status": "affected",
"version": "8.1.4"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-29T17:06:57.417720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T17:07:03.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In prestashop 8.1.4, a NULL pointer dereference was identified in the math_round function within Tools.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-29T16:53:48.677Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/prestashop/prestashop/commit/20fa542294da2cfa034a48041e292acaed0c2a7f"
},
{
"url": "https://github.com/PrestaShop/PrestaShop/blob/8.1.4/classes/Tools.php#L1774"
},
{
"url": "https://gist.github.com/1047524396/25c45b61a6374e0fdaf720c9863c6bcd"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-36626",
"datePublished": "2024-11-29T00:00:00.000Z",
"dateReserved": "2024-05-30T00:00:00.000Z",
"dateUpdated": "2024-11-29T17:07:03.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41651 (GCVE-0-2024-41651)
Vulnerability from cvelistv5 – Published: 2024-08-12 00:00 – Updated: 2024-10-09 17:54 Disputed
VLAI
Summary
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server).
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prestashop | prestashop |
Affected:
0 , ≤ 8.1.7
(custom)
cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThanOrEqual": "8.1.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T20:19:12.834457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T20:25:02.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T17:54:52.491Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Fckroun/CVE-2024-41651/tree/main"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41651",
"datePublished": "2024-08-12T00:00:00.000Z",
"dateReserved": "2024-07-18T00:00:00.000Z",
"dateUpdated": "2024-10-09T17:54:52.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34717 (GCVE-0-2024-34717)
Vulnerability from cvelistv5 – Published: 2024-05-14 15:47 – Updated: 2024-08-02 02:59
VLAI
Title
Anonymous PrestaShop customer can download other customers' invoices
Summary
PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
= 8.1.5
|
|
| prestashop | prestashop |
Affected:
8.1.0 , < 8.1.6
(custom)
cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.6",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T13:22:48.091893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:41:41.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "= 8.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. In PrestaShop 8.1.5, any invoice can be downloaded from front-office in anonymous mode, by supplying a random secure_key parameter in the url. This issue is patched in version 8.1.6. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T15:47:27.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-7pjr-2rgh-fc5g"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"source": {
"advisory": "GHSA-7pjr-2rgh-fc5g",
"discovery": "UNKNOWN"
},
"title": "Anonymous PrestaShop customer can download other customers\u0027 invoices"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34717",
"datePublished": "2024-05-14T15:47:27.265Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34716 (GCVE-0-2024-34716)
Vulnerability from cvelistv5 – Published: 2024-05-14 15:45 – Updated: 2024-08-02 02:59
VLAI
Title
PrestaShop vulnerable to XSS via customer contact form in FO, through file upload
Summary
PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator's right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag.
Severity
9.7 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/releases… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 8.1.0, < 8.1.6
|
|
| prestashop | prestashop |
Affected:
8.1.0 , < 8.1.6
(custom)
cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.6",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T20:41:38.434859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T20:43:10.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open source e-commerce web application. A cross-site scripting (XSS) vulnerability that only affects PrestaShops with customer-thread feature flag enabled is present starting from PrestaShop 8.1.0 and prior to PrestaShop 8.1.6. When the customer thread feature flag is enabled through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be executed when an admin opens the attached file in back office. The script injected can access the session and the security token, which allows it to perform any authenticated action in the scope of the administrator\u0027s right. This vulnerability is patched in 8.1.6. A workaround is to disable the customer-thread feature-flag."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T15:45:45.345Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-45vm-3j38-7p78"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.6"
}
],
"source": {
"advisory": "GHSA-45vm-3j38-7p78",
"discovery": "UNKNOWN"
},
"title": "PrestaShop vulnerable to XSS via customer contact form in FO, through file upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34716",
"datePublished": "2024-05-14T15:45:45.345Z",
"dateReserved": "2024-05-07T13:53:00.134Z",
"dateUpdated": "2024-08-02T02:59:22.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26129 (GCVE-0-2024-26129)
Vulnerability from cvelistv5 – Published: 2024-02-19 21:59 – Updated: 2024-08-01 23:59
VLAI
Title
Prestashop vulnerable to path disclosure in JavaScript variable
Summary
PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/commit/4… | x_refsource_MISC |
| https://owasp.org/www-community/attacks/Full_Path… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 8.1.0, < 8.1.4
|
|
| prestashop | prestashop |
Affected:
8.1.0 , < 8.1.4
(custom)
cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "prestashop",
"vendor": "prestashop",
"versions": [
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:38:34.924222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:43:47.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"
},
{
"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.1.0, \u003c 8.1.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Starting in version 8.1.0 and prior to version 8.1.4, PrestaShop is vulnerable to path disclosure in a JavaScript variable. A patch is available in version 8.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T21:59:54.426Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-3366-9287-7qpr"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/444bd0dea581659918fe2067541b9863cf099dd5"
},
{
"name": "https://owasp.org/www-community/attacks/Full_Path_Disclosure",
"tags": [
"x_refsource_MISC"
],
"url": "https://owasp.org/www-community/attacks/Full_Path_Disclosure"
}
],
"source": {
"advisory": "GHSA-3366-9287-7qpr",
"discovery": "UNKNOWN"
},
"title": "Prestashop vulnerable to path disclosure in JavaScript variable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26129",
"datePublished": "2024-02-19T21:59:54.426Z",
"dateReserved": "2024-02-14T17:40:03.687Z",
"dateUpdated": "2024-08-01T23:59:32.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21628 (GCVE-0-2024-21628)
Vulnerability from cvelistv5 – Published: 2024-01-02 21:17 – Updated: 2024-11-14 19:10
VLAI
Title
XSS can be stored in DB from "add a message form" in order detail page (FO)
Summary
PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/commit/c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
< 8.1.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-16T16:32:28.268211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T19:10:16.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003c 8.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig\u0027s escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T21:17:14.733Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597"
}
],
"source": {
"advisory": "GHSA-vr7m-r9vm-m4wf",
"discovery": "UNKNOWN"
},
"title": "XSS can be stored in DB from \"add a message form\" in order detail page (FO)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21628",
"datePublished": "2024-01-02T21:17:14.733Z",
"dateReserved": "2023-12-29T03:00:44.954Z",
"dateUpdated": "2024-11-14T19:10:16.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21627 (GCVE-0-2024-21627)
Vulnerability from cvelistv5 – Published: 2024-01-02 21:03 – Updated: 2025-06-03 14:45
VLAI
Title
Some attribute not escaped in Validate::isCleanHTML method
Summary
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/PrestaShop/PrestaShop/security… | x_refsource_CONFIRM |
| https://github.com/PrestaShop/PrestaShop/commit/7… | x_refsource_MISC |
| https://github.com/PrestaShop/PrestaShop/commit/b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PrestaShop | PrestaShop |
Affected:
>= 8.0.0, < 8.1.3
Affected: < 1.7.8.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:48:20.023420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:45:21.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PrestaShop",
"vendor": "PrestaShop",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.1.3"
},
{
"status": "affected",
"version": "\u003c 1.7.8.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-02T21:03:17.816Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129"
},
{
"name": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883"
}
],
"source": {
"advisory": "GHSA-xgpm-q3mq-46rq",
"discovery": "UNKNOWN"
},
"title": "Some attribute not escaped in Validate::isCleanHTML method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21627",
"datePublished": "2024-01-02T21:03:17.816Z",
"dateReserved": "2023-12-29T03:00:44.954Z",
"dateUpdated": "2025-06-03T14:45:21.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}