CVE-2020-15161

MEDIUM

PrestaShop 1.6.0.4-1.7.6.8 - Stored Cross-Site Scripting via Contact Form

Title source: llm

Description

In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8

References (3)

Core 3

Core References

Third Party Advisory x_refsource_confirm

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w

Patch, Third Party Advisory x_refsource_misc

https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672

View Patch ZIP pw:eip

Third Party Advisory x_refsource_misc

https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8

Scores

CVSS v3 5.4

EPSS 0.0092

EPSS Percentile 55.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

prestashop/prestashop 1.6.0.4 - 1.7.6.8

Published Sep 24, 2020

Tracked Since Feb 18, 2026