Matthieu-Rolland

**Nome do Software Vulnerável e Versões Afetadas** Módulo ps contactinfo do PrestaShop, versões até e incluindo a 3.3.2 **Descrição** O módulo ps contactinfo apresenta uma vulnerabilidade de cross-site scripting (XSS). Esta questão pode ser explorada em lojas que se tornam vulneráveis devido a módulos de terceiros, como aqueles suscetíveis a injeções de SQL. Por exemplo, se uma loja possuir um módulo de terceiros vulnerável a injeções de SQL, o ps contactinfo pode executar um cross-site scripting armazenado na formatação de objetos. Um commit foi realizado para impedir que endereços formatados exibam um XSS armazenado no banco de dados, e a correção deve estar disponível na versão 3.3.3. **Recomendações** Para versões até e incluindo a 3.3.2, aplique a correção e mantenha todos os módulos atualizados e mantidos para prevenir a exploração. Como medida de contorno temporária, considere manter todos os módulos atualizados e mantidos, pois não há outras medidas de contorno disponíveis além de aplicar a correção. Para a versão 3.3.3 e posteriores, nenhuma ação é necessária, pois a correção deve estar incluída nesta versão.

**Name of the Vulnerable Software and Affected Versions** blockreassurance versions prior to 5.1.4 **Description** The issue concerns an AJAX function in the blockreassurance module that allows modification of any value in the configuration table, potentially compromising the trustworthiness of a store. **Recommendations** For versions prior to 5.1.4, update to version 5.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the AJAX function in the blockreassurance module until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions prior to 5.1.4 **Description** The issue affects the blockreassurance module in PrestaShop, which is designed to offer helpful information to reassure customers about the store's trustworthiness. A back-office (BO) user can modify an HTTP request when adding a block in this module, allowing them to specify the path of any file in the project instead of an image. If the block is then deleted from the back-office, the specified file will also be deleted. This could potentially make the website completely unavailable if critical files, such as index.php, are removed. **Recommendations** For PrestaShop versions prior to 5.1.4, update to version 5.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the blockreassurance module to prevent unauthorized file deletion until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions prior to 1.7.8.10 PrestaShop versions prior to 8.0.5 PrestaShop versions prior to 8.1.1 **Description** PrestaShop is an open source e-commerce web application. The issue concerns remote code execution through SQL injection and arbitrary file write in the back office. There are no known workarounds. **Recommendations** For versions prior to 1.7.8.10, update to version 1.7.8.10 or later. For versions prior to 8.0.5, update to version 8.0.5 or later. For versions prior to 8.1.1, update to version 8.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions prior to 8.0.1 **Description** PrestaShop is an open source e-commerce web application that is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes, which does not clear CSRF tokens upon login. This might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. **Recommendations** For versions prior to 8.0.1, update to version 8.0.1 to resolve the issue. As a temporary workaround, consider clearing CSRF tokens upon login to prevent same-site attackers from bypassing the CSRF protection mechanism. Restrict access to sensitive areas of the application to minimize the risk of exploitation.