Vulnerability CVE-2020-15178
Published: 2020-09-15

Description:
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.

Type:

CWE-79

 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Prestashop -> Contactform 

 References:
https://github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bcc5ed8bfa09
https://github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg96
https://packagist.org/packages/prestashop/contactform
Copyright 2024, cxsecurity.com

 

Back to Top