SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mpay24_project | mpay24 | 1.4.4 |
| mpay24_project | mpay24 | 1.4.8 |
| mpay24_project | mpay24 | 1.4.5 |
| mpay24_project | mpay24 | 1.4.6 |
| mpay24_project | mpay24 | 1.4.7 |
| mpay24_project | mpay24 | 1.4.1 |
| mpay24_project | mpay24 | 1.4.0 |
| mpay24_project | mpay24 | * |
| mpay24_project | mpay24 | 1.4.9 |
| mpay24_project | mpay24 | 1.5.0 |
| mpay24_project | mpay24 | 1.4.3 |
| mpay24_project | mpay24 | 1.4.2 |
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mpay24_project | mpay24 | 1.4.4 |
| mpay24_project | mpay24 | 1.4.8 |
| mpay24_project | mpay24 | 1.4.5 |
| mpay24_project | mpay24 | 1.4.6 |
| mpay24_project | mpay24 | 1.4.7 |
| mpay24_project | mpay24 | 1.4.1 |
| mpay24_project | mpay24 | 1.4.0 |
| mpay24_project | mpay24 | * |
| mpay24_project | mpay24 | 1.4.9 |
| mpay24_project | mpay24 | 1.5.0 |
| mpay24_project | mpay24 | 1.4.3 |
| mpay24_project | mpay24 | 1.4.2 |