Description
In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w
Patch, Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672
Third Party Advisory x_refsource_misc
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8
Scores
CVSS v3
5.4
EPSS
0.0029
EPSS Percentile
52.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
prestashop/prestashop
1.6.0.4 - 1.7.6.8
Published
Sep 24, 2020
Tracked Since
Feb 18, 2026