Vulnerability Details CVE-2020-15178
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The `message` field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.0%
CVSS Severity
CVSS v3 Score 8.0
CVSS v2 Score 4.3
References
- https://github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bcc5ed8bfa09
- https://github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg96
- https://packagist.org/packages/prestashop/contactform
- https://github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bcc5ed8bfa09
- https://github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg96
- https://packagist.org/packages/prestashop/contactform
Products affected by CVE-2020-15178
-
cpe:2.3:a:prestashop:contactform:1.0.1
-
cpe:2.3:a:prestashop:contactform:2.0.0
-
cpe:2.3:a:prestashop:contactform:2.0.1
-
cpe:2.3:a:prestashop:contactform:2.0.2
-
cpe:2.3:a:prestashop:contactform:3.0.0
-
cpe:2.3:a:prestashop:contactform:4.0.0
-
cpe:2.3:a:prestashop:contactform:4.1.0
-
cpe:2.3:a:prestashop:contactform:4.1.1
-
cpe:2.3:a:prestashop:contactform:4.2.0