HIGH 8.1
GHSA-xgpm-q3mq-46rq
PrestaShop some attribute not escaped in Validate::isCleanHTML method
Details
### Description Some event attributes are not detected by the isCleanHTML method
### Impact Some modules using the isCleanHTML method could be vulnerable to xss
### Patches 8.1.3, 1.7.8.11
### Workarounds The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`.
### Reporters
Reported by Antonio Russo (@Antonio-R1 on GitHub) and Antonio Rocco Spataro (@antoniospataro on GitHub).
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / prestashop/prestashop
Introduced in:
8.0.0-beta.1 Fixed in: 8.1.3 Fix
composer require prestashop/prestashop:^8.1.3 Packagist / prestashop/prestashop
Introduced in:
0 Fixed in: 1.7.8.11 Fix
composer require prestashop/prestashop:^1.7.8.11 References
- https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xgpm-q3mq-46rq [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-21627 [ADVISORY]
- https://github.com/PrestaShop/PrestaShop/commit/0ed1af8de500538490f88e9e794e2e8113fb8df7 [WEB]
- https://github.com/PrestaShop/PrestaShop/commit/73cfb44666818eefd501b526a894fe884dd12129 [WEB]
- https://github.com/PrestaShop/PrestaShop/commit/ba06d18466df5b92cb841d504cc7210121104883 [WEB]
- https://github.com/PrestaShop/PrestaShop/commit/f799dcff564cd1b7ead932ffc3343b675107dbce [WEB]
- https://github.com/PrestaShop/PrestaShop [PACKAGE]