CVE-2025-24027: ps_contactinfo has a potential XSS due to usage of the nofilter tag in template

January 22, 2025

This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned.

For example, if your shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored XSS in FO.

References

github.com/PrestaShop/ps_contactinfo
github.com/PrestaShop/ps_contactinfo/commit/d60f9a5634b4fc2d3a8831fb08fe2e1f23cbfa39
github.com/PrestaShop/ps_contactinfo/security/advisories/GHSA-35pq-7pv2-2rfw
github.com/advisories/GHSA-35pq-7pv2-2rfw
nvd.nist.gov/vuln/detail/CVE-2025-24027

Code Behaviors & Features

Detect and mitigate CVE-2025-24027 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →