Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS14Z3BtLXEzbXEtNDZycc4AA4Lv

PrestaShop some attribute not escaped in Validate::isCleanHTML method

Description

Some event attributes are not detected by the isCleanHTML method

Impact

Some modules using the isCleanHTML method could be vulnerable to xss

Patches

8.1.3, 1.7.8.11

Workarounds

The best workaround is to use the HTMLPurifier library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of HTML type will call isCleanHTML.

Reporters

Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub).

Permalink: https://github.com/advisories/GHSA-xgpm-q3mq-46rq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Z3BtLXEzbXEtNDZycc4AA4Lv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago

CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Identifiers: GHSA-xgpm-q3mq-46rq, CVE-2024-21627
References:

• https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq
• https://nvd.nist.gov/vuln/detail/CVE-2024-21627
• https://github.com/PrestaShop/PrestaShop/commit/0ed1af8de500538490f88e9e794e2e8113fb8df7
• https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129
• https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883
• https://github.com/PrestaShop/PrestaShop/commit/f799dcff564cd1b7ead932ffc3343b675107dbce
• https://github.com/advisories/GHSA-xgpm-q3mq-46rq

Repository: https://github.com/PrestaShop/PrestaShop
Blast Radius: 2.4

Affected Packages