CVE-2020-15162

Published: Sep 24, 2020Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.

Affected (1)

Products: Prestashop: Prestashop

Prestashop

1 product

Prestashop

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Prestashop Prestashop	From 1.5.0.0 to 1.7.6.8

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8

Source: security-advisories@github.com

Third Party Advisory

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.