CVE-2020-15178: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

September 15, 2020 (updated January 7, 2021)

In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The message field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim’s browser.

References

github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bcc5ed8bfa09
github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg96
github.com/advisories/GHSA-95hx-62rh-gg96
nvd.nist.gov/vuln/detail/CVE-2020-15178
packagist.org/packages/prestashop/contactform

Detect and mitigate CVE-2020-15178 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →