PrestaShop vulnerable to possible XSS injection through Validate::isCleanHTML method
CVE-2023-30838

8.6HIGH

Key Information:

Vendor: Prestashop
Status: Prestashop
Vendor: CVE Published:; 25 April 2023

What is CVE-2023-30838?

The ValidateCore::isCleanHTML() method in PrestaShop prior to versions 8.0.4 and 1.7.8.9 is susceptible to an exploitable cross-site scripting (XSS) vulnerability. This flaw allows attackers to execute malicious scripts by hijacking HTML attributes without requiring any user interaction. Unlike conventional XSS attacks, which are often limited in scope, this vulnerability can affect all HTML elements, significantly increasing the risk to both site administrators and users. The issue has been addressed in the versions listed above.

Affected Version(s)

PrestaShop >= 8.0.0, < 8.0.4 < 8.0.0, 8.0.4

PrestaShop < 1.7.8.9 < 1.7.8.9

References

https://github.com/PrestaShop/PrestaShop/security/advisor...

x_refsource_CONFIRM

https://github.com/PrestaShop/PrestaShop/commit/46408ae4b...

x_refsource_MISC

https://github.com/PrestaShop/PrestaShop/commit/dc682192d...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2023
Vulnerability Reserved
Apr 18, 2023

Prestashop

What is CVE-2023-30838?

Affected Version(s)

References

CVSS V3.1

Timeline