Manel Alonso

4 exploits Active since Mar 2020
CVE-2023-28447 NOMISEC HIGH WRITEUP
Smarty < 3.1.48 and >=4.0.0 <4.3.1 - Cross-Site Scripting
Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Users are advised to upgrade to either version 3.1.48 or to 4.3.1 to resolve this issue. There are no known workarounds for this vulnerability.
2 stars
CVSS 7.1
CVE-2020-5250 NOMISEC HIGH WRITEUP
PrestaShop <1.7.6.4 - Info Disclosure
In PrestaShop before version 1.7.6.4, when a customer edits their address, they can freely change the id_address in the form, and thus steal someone else's address. It is the same with CustomerForm, you are able to change the id_customer and change all information of all accounts. The problem is patched in version 1.7.6.4.
1 stars
CVSS 7.6
CVE-2023-30839 NOMISEC CRITICAL WRITEUP
PrestaShop < 1.7.8.9 and 8.0.0-8.0.4 - Authenticated SQL Injection
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this issue. There are no known workarounds.
CVSS 9.9
CVE-2022-31181 NOMISEC CRITICAL WORKING POC
PrestaShop <1.7.8.7 - SQL Injection
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
CVSS 9.8