Miggo Logo

CVE-2020-26225: Reflected XSS with parameters in PostComment

8.7

CVSS Score
3.1

Basic Information

EPSS Score
0.53305%
Published
11/16/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
prestashop/productcommentscomposer>= 4.0.0, < 4.2.04.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing Content-Type: application/json headers in controller responses, which allowed browsers to misinterpret JSON payloads as HTML. This enabled XSS when user-controlled data (e.g., error messages with HTML markup) was reflected in responses. The commit patched this by adding proper headers and removing manual JSON parsing in client-side JavaScript. The affected display() methods in front controllers handled user input and returned responses vulnerable to HTML injection due to the missing headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r *oul* inj**t m*li*ious w** *o** into t** us*rs' w** *rows*rs *y *r**tin* * m*li*ious link. ### P*t***s T** pro*l*m is *ix** in *.*.* ### R***r*n**s [*ross-sit* S*riptin* (XSS) - R**l**t** (*W*-**) ](*ttps://*w*.mitr*.or*/**t*

Reasoning

T** vuln*r**ility st*ms *rom missin* *ont*nt-Typ*: *ppli**tion/json *****rs in *ontroll*r r*spons*s, w*i** *llow** *rows*rs to misint*rpr*t JSON p*ylo**s *s *TML. T*is *n**l** XSS w**n us*r-*ontroll** **t* (*.*., *rror m*ss***s wit* *TML m*rkup) w*s