contactform- PrestaShop module vulnerability (CVE-2020-15178)

Modulecontactform

Score

9.3 Critical

Date publish

15-09-2020

Versiones afectadas

Less than 4.3.0

Description

In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.

References

https://github.com/PrestaShop/contactfor...

Patch Third Party Advisory github.com

https://github.com/PrestaShop/contactfor...

Third Party Advisory github.com

https://packagist.org/packages/prestasho...

Vendor Advisory github.com

https://github.com/PrestaShop/contactfor...

Patch Third Party Advisory

https://github.com/PrestaShop/contactfor...

Third Party Advisory

https://packagist.org/packages/prestasho...

Vendor Advisory

Metrics

cvssMetricV31
source	security-advisories@github.com	nvd@nist.gov
type	Secondary	Primary
version	3.1	3.1
vectorString	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
baseScore	8	9.3
baseSeverity	HIGH	CRITICAL
attackVector	NETWORK	NETWORK
attackComplexity	HIGH	LOW
privilegesRequired	NONE	NONE
userInteraction	REQUIRED	REQUIRED
scope	CHANGED	CHANGED
confidentialityImpact	HIGH	HIGH
integrityImpact	HIGH	HIGH
availabilityImpact	NONE	NONE
exploitabilityScore	1.6	2.8
impactScore	5.8	5.8
cvssMetricV2
source	nvd@nist.gov
type	Primary
version	2.0
vectorString	AV:N/AC:M/Au:N/C:N/I:P/A:N
baseScore	4.3
accessVector	NETWORK
accessComplexity	MEDIUM
authentication	NONE
confidentialityImpact	NONE
integrityImpact	PARTIAL
availabilityImpact	NONE
baseSeverity	MEDIUM
exploitabilityScore	8.6
impactScore	2.9
acInsufInfo	False
obtainAllPrivilege	False
obtainUserPrivilege	False
obtainOtherPrivilege	False
userInteractionRequired	True