Three very important vulnerabilities have been detected in Prestashop: two of the SQL injection type, one of critical severity and the other of high severity, and another high severity XSS injection vulnerability, which could allow any user with administrator permissions to write, update or drop SQL databases regardless of their permissions.
You can see the statement here.
Detail:
The critical severity vulnerability is SQL filtering and could allow a user to write, update, and delete to the database, even without having specific administrator permissions.
Of the high severity vulnerabilities, one affects arbitrary file reading, which makes it possible for a user with SQL manager access to arbitrarily read any file in the operating system with a SELECT function. While the other high severity vulnerability consists of a possible XSS injection, which could facilitate the hijacking of HTML elements without the need for user interaction.
Solution:
Prestashop has released a patch and recommends updating to versions 8.0.4 and 1.7.8.9.
https://build.prestashop-project.org/news/2023/prestashop-8-0-4-maintenance-release/
https://build.prestashop-project.org/news/2023/prestashop-1-7-8-9-maintenance-release/
The only current way to apply the patch is to update the version of Prestashop to the indicated ones.
If you have a Prestashop 1.7.X you must update to 1.7.8.9
If you have a Prestashop 8.X you must update to 8.0.4
Free 30-days trial Hosting prestashop Fast, Secure and Optimized
Switch to Bhoost with 30 days free and migration included
Free 30-days trial
