CVE-2012-2517

MEDIUM

PrestaShop < 1.4.9.0 - Cross-Site Scripting via product[] Parameter in ajax.php

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-2517. PoCs published by High-Tech Bridge.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in PrestaShop's admin panel by injecting malicious JavaScript into the 'ajaxProductsPositions' parameter, which steals login credentials when triggered.

Description

Cross-site scripting (XSS) vulnerability in PrestaShop before 1.4.9 allows remote attackers to inject arbitrary web script or HTML via the index of the product[] parameter to ajax.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by High-Tech Bridge · htmlwebappsphp

https://www.exploit-db.com/exploits/37684

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in PrestaShop's admin panel by injecting malicious JavaScript into the 'ajaxProductsPositions' parameter, which steals login credentials when triggered.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PrestaShop (versions affected by CVE-2012-2517)

Auth required

Prerequisites: Access to the admin panel · Ability to submit crafted input to the vulnerable endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.htbridge.com/advisory/HTB23091

Release Notes, Vendor Advisory x_refsource_misc

https://www.prestashop.com/download/old/changelog_1.4.9.0.txt

Scores

CVSS v3 6.1

EPSS 0.0189

EPSS Percentile 76.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

prestashop/prestashop < 1.4.9.0

Published Feb 11, 2020

Tracked Since Feb 18, 2026