202 Ecommerce

8 exploits Active since Mar 2024
CVE-2024-24302 WRITEUP CRITICAL WRITEUP
Product Designer < 1.178.36 - Remote Code Execution via postProcess() Method
An issue was discovered in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the postProcess() method.
CVSS 9.8
CVE-2024-24307 WRITEUP HIGH WRITEUP
Product Designer < 1.178.36 - Path Traversal via ajaxProcessCropImage()
Path Traversal vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows a remote attacker to escalate privileges and obtain sensitive information via the ajaxProcessCropImage() method.
CVSS 7.5
CVE-2024-25839 WRITEUP HIGH WRITEUP
Webbax supernewsletter < 1.4.21 - Privilege Escalation and Sensitive Information Exposure
An issue was discovered in Webbax "Super Newsletter" (supernewsletter) module for PrestaShop versions 1.4.21 and before, allows local attackers to escalate privileges and obtain sensitive information.
CVSS 7.5
CVE-2024-25844 WRITEUP HIGH WRITEUP
PrestaShop <4.1.26 - Privilege Escalation/Info Disclosure
An issue was discovered in Common-Services "So Flexibilite" (soflexibilite) module for PrestaShop before version 4.1.26, allows remote attackers to escalate privileges and obtain sensitive information via debug file.
CVSS 7.5
CVE-2024-25847 WRITEUP CRITICAL WRITEUP
MyPrestaModules Product Catalog Import < 6.5.0 - SQL Injection & Privilege Escalation
SQL Injection vulnerability in MyPrestaModules "Product Catalog (CSV, Excel) Import" (simpleimportproduct) modules for PrestaShop versions 6.5.0 and before, allows attackers to escalate privileges and obtain sensitive information via Send::__construct() and importProducts::_addDataToDb methods.
CVSS 9.8
CVE-2024-26469 WRITEUP HIGH WRITEUP
Product Designer < 1.178.36 - Server-Side Request Forgery via URL Parameter
Server-Side Request Forgery (SSRF) vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to cause a denial of service (DoS) and escalate privileges via the url parameter in the postProcess() method.
CVSS 8.1
CVE-2024-33836 WRITEUP CRITICAL WRITEUP
JA Marketplace <9.0.1 - Code Injection
In the module "JA Marketplace" (jamarketplace) up to version 9.0.1 from JA Module for PrestaShop, a guest can upload files with extensions .php. In version 6.X, the method `JmarketplaceproductModuleFrontController::init()` and in version 8.X, the method `JmarketplaceSellerproductModuleFrontController::init()` allow upload of .php files, which will lead to a critical vulnerability.
CVSS 9.8
CVE-2024-34990 WRITEUP CRITICAL WRITEUP
FME Modules for PrestaShop <2.4.0 - Code Injection
In the module "Help Desk - Customer Support Management System" (helpdesk) up to version 2.4.0 from FME Modules for PrestaShop, a customer can upload .php files. Methods `HelpdeskHelpdeskModuleFrontController::submitTicket()` and `HelpdeskHelpdeskModuleFrontController::replyTicket()` allow upload of .php files on a predictable path for connected customers.
CVSS 10.0