Cross-Site Scripting Vulnerability in PrestaShop Module by PrestaShop
CVE-2025-24027

6.2MEDIUM

Key Information:

Vendor: Prestashop
Status: Ps Contactinfo
Vendor: CVE Published:; 22 January 2025

What is CVE-2025-24027?

The ps_contactinfo module for PrestaShop, which manages store contact information display, is vulnerable to cross-site scripting (XSS) in all versions up to and including 3.3.2. This vulnerability occurs in shops that have additional third-party modules installed, specifically those with vulnerabilities such as SQL injection, allowing attackers to execute stored XSS via improperly formatted address objects. A critical commit has been made to rectify this issue, and users are urged to upgrade to version 3.3.3 or later to mitigate the risk. Immediate application of security patches is recommended, and maintaining all modules is crucial to maintain site security.

Affected Version(s)

ps_contactinfo <= 3.3.2

References

https://github.com/PrestaShop/ps_contactinfo/security/adv...

x_refsource_CONFIRM

https://github.com/PrestaShop/ps_contactinfo/commit/d60f9...

x_refsource_MISC

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 16, 2025

Prestashop

What is CVE-2025-24027?

Affected Version(s)

References

CVSS V3.1

Timeline