Skip to content

Possible XSS injection through Validate::isCleanHTML method

High
mflasquin published GHSA-fh7r-996q-gvcp Apr 25, 2023

Package

composer prestashop/prestashop (Composer)

Affected versions

< 8.0.3

Patched versions

8.0.4 and 1.7.8.9

Description

Impact

ValidateCore::isCleanHTML() method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @Keyframes methods.

This XSS which hijacks HTML attributes will be triggered without any interaction of the visitor/administrator which makes it as dangerous as a trivial XSS.

Contrary to most XSS which target HTML attributes and which are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope.

Patches

The patch will be on PS 8.0.4 and PS 1.7.8.9

References

Severity

High
8.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-30838

Weaknesses

No CWEs

Credits