GHSA-vwfx-hh3w-fj99

Source

https://github.com/advisories/GHSA-vwfx-hh3w-fj99

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-vwfx-hh3w-fj99/GHSA-vwfx-hh3w-fj99.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-vwfx-hh3w-fj99

Aliases

CVE-2021-21418

Related

CVE-2021-21418

Published

2021-04-06T17:24:14Z

Modified

2023-11-01T04:54:15.826646Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Potential XSS injection in the newsletter conditions field

Details

Impact

An employee can inject javascript in the newsletter condition field that will then be executed on the front office

Patches

The issue has been fixed in 2.6.1

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-31T17:35:42Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2021-03-31T18:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / prestashop/ps_emailsubscription

Package

Name: prestashop/ps_emailsubscription
Purl: pkg:composer/prestashop/ps_emailsubscription

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.1

Affected versions

v1.*

v1.0.1

v1.1.0

v1.1.1

v1.1.2

v1.1.6

v2.*

v2.1.0

v2.2.0

v2.3.0

v2.5.0

v2.6.0