CVE-2020-15161

State: PUBLISHED · Published: 2020-09-24 · Updated: 2024-08-04 · Assigner: GitHub_M

Description

In PrestaShop from version 1.6.0.4 and before version 1.7.6.8 an attacker is able to inject javascript while using the contact form. The problem is fixed in 1.7.6.8

CWE

CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected

PrestaShop / PrestaShop — v=> 1.6.0.4, < 1.7.6.8 [affected]

CVSS

3.1 score=5.4 severity=MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-5cp2-r794-w37w x_refsource_CONFIRM
https://github.com/PrestaShop/PrestaShop/commit/562a231fec18a928e4a601860416fe11af274672 x_refsource_MISC
https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8 x_refsource_MISC

Source

cvelistV5-main/cves/2020/15xxx/CVE-2020-15161.json