Cross-site scripting in PrestaShop



Published: 2019-05-24 | Updated: 2020-08-08
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-11876
CWE-ID CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		PrestaShop
Web applications / E-Commerce systems

Drupal
Web applications / CMS

Vendor PrestaShop SA
Drupal

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site scripting

EUVDB-ID: #VU35875

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11876

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PrestaShop: 1.7.5.2

Drupal: 1.7.5.2 - 8.7.0

External links

http://www.logicallysecure.com/blog/xss-presta-xss-drupal/
http://www.prestashop.com/forums/forum/2-prestashop-news-and-releases/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###