PrestaShop XSS vulnerability through Validate::isCleanHTML method
CVE-2023-39527

8.3HIGH

Key Information:

Vendor: Prestashop
Status: Prestashop
Vendor: CVE Published:; 7 August 2023

What is CVE-2023-39527?

PrestaShop, a widely-used open source e-commerce web application, is susceptible to cross-site scripting (XSS) attacks in versions before 1.7.8.10, 8.0.5, and 8.1.1 due to flaws in the isCleanHTML method. This vulnerability allows malicious users to inject arbitrary scripts into the web app, compromising the integrity of the application and potentially impacting end-users. Users are advised to upgrade to the patched versions to mitigate risks. No workarounds are available for this vulnerability.

Affected Version(s)

PrestaShop < 1.7.8.10 < 1.7.8.10

PrestaShop >= 8.0.0, < 8.0.5 < 8.0.0, 8.0.5

PrestaShop = 8.1.0 = 8.1.0

References

https://github.com/PrestaShop/PrestaShop/security/advisor...

x_refsource_CONFIRM

https://github.com/PrestaShop/PrestaShop/commit/afc14f8ea...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2023
Vulnerability Reserved
Aug 3, 2023

Prestashop

What is CVE-2023-39527?

Affected Version(s)

References

CVSS V3.1

Timeline