CVE-2020-15178: Potential XSS in PrestaShop contactform
First published: Tue Sep 15 2020(Updated: )
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Prestashop Contactform | <4.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this PrestaShop contactform module vulnerability?
The vulnerability ID for this PrestaShop contactform module vulnerability is CVE-2020-15178.
What is the severity score of CVE-2020-15178?
CVE-2020-15178 has a severity score of 9.3 (Critical).
How does this vulnerability in PrestaShop contactform module work?
This vulnerability allows an attacker to inject JavaScript through the contact form by exploiting the incorrectly unescaped 'message' field.
What is the affected software version for this vulnerability?
The affected software version is PrestaShop contactform module before version 4.3.0.
How can I fix CVE-2020-15178 in PrestaShop contactform module?
To fix CVE-2020-15178, update to version 4.3.0 or above of the PrestaShop contactform module.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/prestashop
- canonical/prestashop contactform