GHSA-xgpm-q3mq-46rq

Suggest an improvement
Source
https://github.com/advisories/GHSA-xgpm-q3mq-46rq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-xgpm-q3mq-46rq/GHSA-xgpm-q3mq-46rq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xgpm-q3mq-46rq
Aliases
Published
2024-01-03T21:41:14Z
Modified
2024-03-06T12:27:52.509091Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
PrestaShop some attribute not escaped in Validate::isCleanHTML method
Details

Description

Some event attributes are not detected by the isCleanHTML method

Impact

Some modules using the isCleanHTML method could be vulnerable to xss

Patches

8.1.3, 1.7.8.11

Workarounds

The best workaround is to use the HTMLPurifier library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of HTML type will call isCleanHTML.

Reporters

Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub).

Database specific
{
    "nvd_published_at": "2024-01-02T21:15:10Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-03T21:41:14Z"
}
References

Affected packages

Packagist / prestashop/prestashop

Package

Name
prestashop/prestashop
Purl
pkg:composer/prestashop/prestashop

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0-beta.1
Fixed
8.1.3

Affected versions

8.*

8.0.0-beta.1
8.0.0-rc.1
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.1.0-beta.1
8.1.0-rc.1
8.1.0
8.1.1
8.1.2

Packagist / prestashop/prestashop

Package

Name
prestashop/prestashop
Purl
pkg:composer/prestashop/prestashop

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.8.11

Affected versions

1.*

1.7.0.0-beta.1.0
1.7.0.0-beta.2.0
1.7.0.0-beta.3.0
1.7.0.0-beta.4.0
1.7.0.0-rc.0.0
1.7.0.0-rc.1.0
1.7.0.0-rc.2.0
1.7.0.0
1.7.0.1
1.7.0.2
1.7.0.3
1.7.0.4
1.7.0.5
1.7.0.6
1.7.1.0
1.7.1.1
1.7.1.2
1.7.2.0-rc.1.0
1.7.2.0
1.7.2.1
1.7.2.2
1.7.2.3
1.7.2.4
1.7.2.5
1.7.3.0
1.7.3.1
1.7.3.2
1.7.3.3
1.7.3.4
1.7.4.0-beta.1
1.7.4.0
1.7.4.1
1.7.4.2
1.7.4.3
1.7.4.4
1.7.5.0-beta.1
1.7.5.0-rc.1
1.7.5.0
1.7.5.1
1.7.5.2
1.7.6.0-beta.1
1.7.6.0-rc.1
1.7.6.0-rc.2
1.7.6.0
1.7.6.1
1.7.6.2
1.7.6.3
1.7.6.4
1.7.6.5
1.7.6.6
1.7.6.7
1.7.6.8
1.7.6.9
1.7.7.0-beta.1
1.7.7.0-beta.2
1.7.7.0-rc.1
1.7.7.0
1.7.7.1
1.7.7.2
1.7.7.3
1.7.7.4
1.7.7.5
1.7.7.6
1.7.7.7
1.7.7.8
1.7.8.0-beta.1
1.7.8.0-rc.1
1.7.8.0
1.7.8.1
1.7.8.2
1.7.8.3
1.7.8.4
1.7.8.5
1.7.8.6
1.7.8.7
1.7.8.8
1.7.8.9
1.7.8.10