Vulnerabilities > Prestashop > Critical

DATE CVE VULNERABILITY TITLE RISK
2021-01-20 CVE-2021-3110 SQL Injection vulnerability in Prestashop 1.7.7.0
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade id_products[] parameter.
network
low complexity
prestashop CWE-89
critical
9.8
2020-09-24 CVE-2020-15160 SQL Injection vulnerability in Prestashop
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter.
network
low complexity
prestashop CWE-89
critical
9.8
2020-09-15 CVE-2020-15178 Unspecified vulnerability in Prestashop Contactform
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form.
network
low complexity
prestashop
critical
9.3
2020-07-02 CVE-2020-4074 Improper Authentication vulnerability in Prestashop
In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, the authentication system is malformed and an attacker is able to forge requests and execute admin commands.
network
low complexity
prestashop CWE-287
critical
9.8
2020-02-18 CVE-2013-6295 Improper Privilege Management vulnerability in Prestashop 1.5.5.0
PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module
network
low complexity
prestashop CWE-269
critical
9.8
2019-12-05 CVE-2019-19595 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file.
network
low complexity
adobe prestashop CWE-434
critical
9.8
2019-12-05 CVE-2019-19594 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allows remote attackers to execute arbitrary code by uploading a .php file.
network
low complexity
adobe prestashop CWE-434
critical
9.8
2018-11-19 CVE-2018-19355 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).
network
low complexity
prestashop mypresta CWE-434
critical
9.8
2018-11-09 CVE-2018-19126 Unrestricted Upload of File with Dangerous Type vulnerability in Prestashop
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
network
low complexity
prestashop CWE-434
critical
9.8
2018-07-09 CVE-2018-13784 Unspecified vulnerability in Prestashop
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
network
low complexity
prestashop
critical
9.1