Miggo Logo
Miggo Vulnerability Database
CVE-2020-15178

CVE-2020-15178: Potential XSS injection In PrestaShop contactform

8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-15178
GHSA ID
GHSA-95hx-62rh-gg96
EPSS Score
0.6802%
CWE
CWE-79
Published
9/15/2020
Updated
1/12/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/contactformcomposer>= 1.0.1, < 4.3.04.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues:

  1. In getWidgetVariables, html_entity_decode() was applied to user-controlled message input, reversing any existing HTML escaping and enabling script injection in the form's UI.
  2. In sendMessage, the message was only processed with stripslashes() before email template insertion, leaving HTML special characters unencoded. The patch added Tools::htmlentitiesUTF8() to properly sanitize output. Both functions directly handle user-supplied message input without adequate output encoding in vulnerable versions, making them the attack vectors for stored XSS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r is **l* to inj**t j*v*s*ript w*il* usin* t** *ont**t *orm. ### P*t***s T** pro*l*m is *ix** in v*.*.* ### R***r*n**s [*ross-sit* S*riptin* (XSS) - Stor** (*W*-**)](*ttps://*w*.mitr*.or*/**t*/***initions/**.*tml)

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *. In **tWi***tV*ri**l*s, *tml_*ntity_***o**() w*s *ppli** to us*r-*ontroll** m*ss*** input, r*v*rsin* *ny *xistin* *TML *s**pin* *n* *n**lin* s*ript inj**tion in t** *orm's UI. *. In s*n*M*ss***, t** m*ss