CVE-2023-39527 : PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

Published 2023-08-07 21:15:10

Updated 2023-08-09 20:19:10

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-39527

Prestashop » Prestashop
Versions from including (>=) 8.0.0 and before (<) 8.0.5
cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*
Matching versions
Prestashop » Prestashop
Versions before (<) 1.7.8.10
cpe:2.3:a:prestashop:prestashop:*:*:*:*:*:*:*:*
Matching versions
Prestashop » Prestashop » Version: 8.1.0
cpe:2.3:a:prestashop:prestashop:8.1.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-39527

EPSS FAQ

1.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 76 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-39527

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
8.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:H	1.7	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: High Availability: High

CWE ids for CVE-2023-39527

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: security-advisories@github.com (Primary)
CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-39527

https://github.com/PrestaShop/PrestaShop/commit/afc14f8eaa058b3e6a20ac43e033ee2656fb88b4

Merge remote-tracking branch 'ghsa-xw2r-f8xv-c8xp/fix-advisory-1' int… · PrestaShop/PrestaShop@afc14f8 · GitHub
Patch
https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-xw2r-f8xv-c8xp

New possible XSS injection through Validate::isCleanHTML method · Advisory · PrestaShop/PrestaShop · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-39527

Products affected by CVE-2023-39527

Exploit prediction scoring system (EPSS) score for CVE-2023-39527

CVSS scores for CVE-2023-39527

CWE ids for CVE-2023-39527

References for CVE-2023-39527