Lucene search

GitHub Advisory DatabaseGHSA-58W4-W77W-QV3W

HistoryNov 16, 2020 - 9:23 p.m.

Reflected XSS with parameters in PostComment

2020-11-1621:23:29

CWE-79

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

29.5%

JSON

Impact

An attacker could inject malicious web code into the users’ web browsers by creating a malicious link.

Patches

The problem is fixed in 4.2.0

References

Cross-site Scripting (XSS) - Reflected (CWE-79)

Affected configurations

Vulners

Node

prestashopproductcommentsRange<4.2.0

CPENameOperatorVersion
prestashop/productcommentslt4.2.0

CPE	Name	Operator	Version
	prestashop/productcomments	lt	4.2.0

References

github.com/advisories/GHSA-58w4-w77w-qv3w

github.com/PrestaShop/productcomments/commit/c56e3e9495c4a0a9c1e7dc43e1bb0fcad2796dbf

github.com/PrestaShop/productcomments/security/advisories/GHSA-58w4-w77w-qv3w

nvd.nist.gov/vuln/detail/CVE-2020-26225

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

29.5%

JSON

Related for GHSA-58W4-W77W-QV3W