CRITICAL 9.3
GHSA-w9f3-qc75-qgx9
PrestaShop has a stored XSS executable in customer service view
Details
### Impact
This is a **stored Cross-site Scripting (XSS)** vulnerability in the PrestaShop back-office Customer Service view.
An unauthenticated attacker can submit the public Contact Us form with a malicious email address. The payload is stored in the database and executed when a back-office employee opens the affected customer thread, enabling session hijacking and full back-office takeover.
### Patches
Patched in PrestaShop 8.2.6 and 9.1.1.
### Workarounds
None.
### Resources
- Reported by Savio at Doyensec (`anthropic@doyensec.com`) in collaboration with Anthropic Research.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / prestashop/prestashop
Introduced in:
0 Fixed in: 8.2.6 Fix
composer require prestashop/prestashop:^8.2.6 Packagist / prestashop/prestashop
Introduced in:
9.0.0 Fixed in: 9.1.1 Fix
composer require prestashop/prestashop:^9.1.1