5.4

CVE-2020-15162

Exploit

Stored XSS in PrestaShop

In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PrestashopPrestashop Version >= 1.5.0.0 < 1.7.6.8
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.8% 0.516
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com 5.4 2.2 2.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/PrestaShop/PrestaShop/releases/tag/1.7.6.8
Third Party Advisory
https://github.com/PrestaShop/PrestaShop/commit/2cfcd33c75974a49f17665f294f228454e14d9cf
Patch
Third Party Advisory
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-rc8c-v7rq-q392
Third Party Advisory
Exploit