CVE-2020-26225: Reflected XSS with parameters in PostComment
8.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53305%
CWE
Published
11/16/2020
Updated
1/9/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
prestashop/productcomments | composer | >= 4.0.0, < 4.2.0 | 4.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing Content-Type: application/json headers in controller responses, which allowed browsers to misinterpret JSON payloads as HTML. This enabled XSS when user-controlled data (e.g., error messages with HTML markup) was reflected in responses. The commit patched this by adding proper headers and removing manual JSON parsing in client-side JavaScript
. The affected display()
methods in front controllers handled user input and returned responses vulnerable to HTML injection due to the missing headers.