CVE-2020-26225
published 2020-11-16CVE-2020-26225: In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.88%
54.4th percentile
In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The problem was introduced in version 4.0.0 and is fixed in 4.2.0
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prestashop | product_comments | >= 4.0.0 < 4.2.0 | 4.2.0 |
| prestashop | productcomments | — | — |
| prestashop | productcomments | >= 4.0.0 < 4.2.0 | 4.2.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Reflected XSS with parameters in PostComment
ghsa·2020-11-16
CVE-2020-26225 [MEDIUM] CWE-79 Reflected XSS with parameters in PostComment
Reflected XSS with parameters in PostComment
### Impact
An attacker could inject malicious web code into the users' web browsers by creating a malicious link.
### Patches
The problem is fixed in 4.2.0
### References
[Cross-site Scripting (XSS) - Reflected (CWE-79) ](https://cwe.mitre.org/data/definitions/79.html)
OSV
Reflected XSS with parameters in PostComment
osv·2020-11-16
CVE-2020-26225 [MEDIUM] Reflected XSS with parameters in PostComment
Reflected XSS with parameters in PostComment
### Impact
An attacker could inject malicious web code into the users' web browsers by creating a malicious link.
### Patches
The problem is fixed in 4.2.0
### References
[Cross-site Scripting (XSS) - Reflected (CWE-79) ](https://cwe.mitre.org/data/definitions/79.html)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/PrestaShop/productcomments/commit/c56e3e9495c4a0a9c1e7dc43e1bb0fcad2796dbfhttps://github.com/PrestaShop/productcomments/security/advisories/GHSA-58w4-w77w-qv3whttps://github.com/PrestaShop/productcomments/commit/c56e3e9495c4a0a9c1e7dc43e1bb0fcad2796dbfhttps://github.com/PrestaShop/productcomments/security/advisories/GHSA-58w4-w77w-qv3w
2020-11-16
Published