Pierre Rambaud

Name of the Vulnerable Software and Affected Versions: PrestaShop versions prior to 1.7.8.2 Description: PrestaShop is an Open Source e-commerce web application. The issue is related to blind SQL injection using search filters with `orderBy` and `sortOrder` parameters. Recommendations: For PrestaShop versions prior to 1.7.8.2, update to version 1.7.8.2 to resolve the issue. As a temporary workaround, consider restricting the use of search filters with `orderBy` and `sortOrder` parameters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop contactform module versions prior to 4.3.0 **Description** The issue allows an attacker to inject JavaScript while using the contact form, potentially executing arbitrary JavaScript in a victim's browser. This is due to the `message` field being incorrectly unescaped. **Recommendations** For PrestaShop contactform module versions prior to 4.3.0, update to version 4.3.0 to resolve the issue. As a temporary workaround, consider restricting the use of the contact form until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions prior to 1.7.6.5 **Description** The issue allows for a reflected XSS attack when a security compromised page is accessed, enabling the execution of arbitrary actions. **Recommendations** For PrestaShop versions prior to 1.7.6.5, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.4.0 through 1.7.6.4 **Description** The issue is related to a reflected XSS that occurs when uploading an incorrect file. **Recommendations** For PrestaShop versions 1.7.4.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.5.5.0 through 1.7.6.4 **Description** The issue is related to improper access control on customer search. The problem was fixed in version 1.7.6.5. **Recommendations** For PrestaShop versions 1.5.5.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.0.0 through 1.7.6.4 **Description** The issue concerns improper access controls on the product attributes page. The problem was fixed in version 1.7.6.5. **Recommendations** For PrestaShop versions 1.7.0.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.0.0 through 1.7.6.4 **Description** The issue is related to improper access controls on the product page, specifically affecting combinations, attachments, and specific prices. **Recommendations** For PrestaShop versions 1.7.0.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.6.1 through 1.7.6.4 **Description** The issue is a reflected XSS that occurs on the AdminAttributesGroups page. The problem has been patched. **Recommendations** For PrestaShop versions 1.7.6.1 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.6.1 through 1.7.6.4 **Description** The issue is a reflected XSS that occurs on the AdminFeatures page by using the `id feature` parameter. The problem is fixed in version 1.7.6.5. **Recommendations** For PrestaShop versions 1.7.6.1 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue. As a temporary workaround, consider restricting the use of the `id feature` parameter in the AdminFeatures page until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.6.0 through 1.7.6.5 **Description** The issue is related to an open redirection when using the `back` parameter. This can lead to the theft of information and credentials, as well as redirection to malicious websites containing attacker-controlled content, potentially causing XSS attacks. **Recommendations** For PrestaShop versions 1.7.6.0 through 1.7.6.5, update to version 1.7.6.5 to resolve the issue. As a temporary workaround, consider restricting the use of the `back` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.6.0.0 through 1.7.6.4 **Description** The issue is related to a reflected XSS in the dashboard page, specifically with the `date from` and `date to` parameters. This problem has been fixed in version 1.7.6.5. **Recommendations** For PrestaShop versions 1.6.0.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue. As a temporary workaround, consider restricting access to the dashboard page or avoiding the use of the `date from` and `date to` parameters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.5.5.0 through 1.7.6.4 **Description** The issue is related to a reflected XSS on the Search page, specifically involving the `alias` and `search` parameters. **Recommendations** For PrestaShop versions 1.5.5.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.1.0 through 1.7.6.4 **Description** The issue is related to a reflected XSS on the AdminCarts page, specifically with the `cartBox` parameter. The problem has been fixed in version 1.7.6.5. **Recommendations** For PrestaShop versions 1.7.1.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue. As a temporary workaround, consider restricting access to the AdminCarts page or avoiding the use of the `cartBox` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.5.4.0 through 1.7.6.4 **Description** The issue is related to a reflected XSS on the Exception page. The problem is fixed in version 1.7.6.5. **Recommendations** For PrestaShop versions 1.5.4.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.5.0.0 through 1.7.6.4 **Description** The issue is related to improper access control in PrestaShop, specifically affecting legacy controllers since version 1.5.0.0. The affected API endpoints include "admin-dev/index.php/configure/shop/customer-preferences/", "admin-dev/index.php/improve/international/translations/", "admin-dev/index.php/improve/international/geolocation/", "admin-dev/index.php/improve/international/localization", "admin-dev/index.php/configure/advanced/performance", "admin-dev/index.php/sell/orders/delivery-slips/", and "admin-dev/index.php?controller=AdminStatuses". **Recommendations** For PrestaShop versions 1.5.0.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions 1.7.6.0 through 1.7.6.4 **Description** The issue is related to a reflected XSS. It involves the `back` parameter. **Recommendations** For PrestaShop versions 1.7.6.0 through 1.7.6.4, update to version 1.7.6.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions prior to 3.1.0 **Description** The issue concerns a stored XSS in the ps link module when creating or editing a link list block, specifically with the title field. **Recommendations** For versions prior to 3.1.0, update to version 3.1.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop module ps linklist versions prior to 3.1.0 **Description** The issue concerns a stored XSS when using custom URLs. **Recommendations** For PrestaShop module ps linklist versions prior to 3.1.0, update to version 3.1.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop module ps facetedsearch versions prior to 2.1.0 **Description** The issue concerns a reflected XSS related to social networks fields. The problem has been fixed in version 2.1.0. **Recommendations** For PrestaShop module ps facetedsearch versions prior to 2.1.0, update to version 2.1.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PrestaShop module ps facetedsearch versions prior to 3.5.0 **Description** The issue is related to a reflected XSS with the `url name` parameter. The problem is fixed in version 3.5.0. **Recommendations** For PrestaShop module ps facetedsearch versions prior to 3.5.0, update to version 3.5.0 to resolve the issue. As a temporary workaround, consider restricting the use of the `url name` parameter in the affected module until the update is applied.