Lucene search

GitHub_MCVELIST:CVE-2020-15178

HistorySep 15, 2020 - 5:50 p.m.

CVE-2020-15178 Potential XSS in PrestaShop contactform

2020-09-1517:50:13

CWE-79

GitHub_M

www.cve.org

cve-2020-15178

prestashop

contact form

xss

javascript

security vulnerability

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

61.0%

JSON

In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The message field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim’s browser.

CNA Affected

[
  {
    "product": "contactform",
    "vendor": "PrestaShop",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.3.0"
      }
    ]
  }
]

References

github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bcc5ed8bfa09

github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg96

packagist.org/packages/prestashop/contactform

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

61.0%

JSON

Related for CVELIST:CVE-2020-15178