VDB
KO
HIGH 8.0

GHSA-fh7r-996q-gvcp

Possible XSS injection through Validate::isCleanHTML method

Details

### Impact ValidateCore::isCleanHTML() method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @keyframes methods.

This XSS which hijacks HTML attributes will be triggered without any interaction of the visitor/administrator which makes it as dangerous as a trivial XSS.

Contrary to most XSS which target HTML attributes and which are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope.

### Patches The patch will be on PS 8.0.4 and PS 1.7.8.9

### References

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / prestashop/prestashop
Introduced in: 8.0.0 Fixed in: 8.0.4
Fix composer require prestashop/prestashop:^8.0.4
Packagist / prestashop/prestashop
Introduced in: 0 Fixed in: 1.7.8.9
Fix composer require prestashop/prestashop:^1.7.8.9

References