VDB
EN
HIGH 8.0

GHSA-fh7r-996q-gvcp

Possible XSS injection through Validate::isCleanHTML method

상세

### Impact ValidateCore::isCleanHTML() method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @keyframes methods.

This XSS which hijacks HTML attributes will be triggered without any interaction of the visitor/administrator which makes it as dangerous as a trivial XSS.

Contrary to most XSS which target HTML attributes and which are triggered without user interaction (such as onload / onerror which suffer from a very limited scope), this one can hijack every HTML element, which increases the danger due to a complete HTML elements scope.

### Patches The patch will be on PS 8.0.4 and PS 1.7.8.9

### References

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / prestashop/prestashop
최초 영향 버전: 8.0.0 수정 버전: 8.0.4
수정 composer require prestashop/prestashop:^8.0.4
Packagist / prestashop/prestashop
최초 영향 버전: 0 수정 버전: 1.7.8.9
수정 composer require prestashop/prestashop:^1.7.8.9

참고