Vulnerabilities > Prestashop > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-03 | CVE-2020-26248 | SQL Injection vulnerability in Prestashop Productcomments In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. | 8.2 |
| 2020-11-16 | CVE-2020-26224 | Unspecified vulnerability in Prestashop In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logged by abusing the function that allows a shopping cart to be recreated from an order already placed. | 7.5 |
| 2020-07-02 | CVE-2020-15082 | Unspecified vulnerability in Prestashop In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the dashboard allows rewriting all configuration variables. | 8.8 |
| 2020-04-27 | CVE-2020-12120 | Incorrect Permission Assignment for Critical Resource vulnerability in Prestashop Correos Express 1.6/1.6.0.4/1.7 The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote attackers to obtain sensitive information, such as a service's owner password that can be used to modify orders via SOAP. | 7.5 |
| 2020-01-23 | CVE-2013-6358 | Unrestricted Upload of File with Dangerous Type vulnerability in Prestashop 1.5.5.0 PrestaShop 1.5.5 allows remote authenticated attackers to execute arbitrary code by uploading a crafted profile and then accessing it in the module/ directory. | 8.8 |
| 2019-07-09 | CVE-2019-13461 | Authorization Bypass Through User-Controlled Key vulnerability in Prestashop In PrestaShop before 1.7.6.0 RC2, the id_address_delivery and id_address_invoice parameters are affected by an Insecure Direct Object Reference vulnerability due to a guessable value sent to the web application during checkout. | 7.5 |
| 2019-01-15 | CVE-2018-20717 | Code Injection vulnerability in Prestashop In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. | 8.8 |
| 2018-11-09 | CVE-2018-19125 | Unspecified vulnerability in Prestashop PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory. | 7.5 |
| 2018-11-09 | CVE-2018-19124 | Path Traversal vulnerability in Prestashop PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 on Windows allows remote attackers to write to arbitrary image files. | 7.5 |
| 2018-02-26 | CVE-2018-7491 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Prestashop In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values. | 7.5 |