Possible XSS injection through Validate::isCleanHTML method
High severity
GitHub Reviewed
Published
Apr 25, 2023
in
PrestaShop/PrestaShop
•
Updated Nov 10, 2023
Package
Affected versions
>= 8.0.0, < 8.0.4
< 1.7.8.9
Patched versions
8.0.4
1.7.8.9
Description
Published by the National Vulnerability Database
Apr 25, 2023
Published to the GitHub Advisory Database
Apr 25, 2023
Reviewed
Apr 25, 2023
Last updated
Nov 10, 2023
Impact
ValidateCore::isCleanHTML() method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @Keyframes methods.
This XSS which hijacks HTML attributes will be triggered without any interaction of the visitor/administrator which makes it as dangerous as a trivial XSS.
Contrary to most XSS which target HTML attributes and which are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope.
Patches
The patch will be on PS 8.0.4 and PS 1.7.8.9
References
References