Touchweb-Vincent

**Name of the Vulnerable Software and Affected Versions** PrestaShop versions prior to 8.0.4 and 1.7.8.9 **Description** The issue concerns the `ValidateCore::isCleanHTML()` method of PrestaShop, which misses hijackable events, leading to cross-site scripting (XSS) injection. This is allowed by the presence of pre-setup `@keyframes` methods. The XSS can hijack HTML attributes and can be triggered without any interaction by the visitor or administrator, making it as dangerous as a trivial XSS attack. Unlike other attacks that target HTML attributes and are triggered without user interaction, this one can hijack every HTML element, increasing the danger due to its complete HTML elements scope. **Recommendations** For PrestaShop versions prior to 8.0.4, update to version 8.0.4 or later. For PrestaShop versions prior to 1.7.8.9, update to version 1.7.8.9 or later.

**Name of the Vulnerable Software and Affected Versions** PrestaShop/paypal versions 3.12.0 through 3.16.3 **Description** A SQL injection issue allows a remote attacker to gain privileges, modify data, and potentially affect system availability. The cause of this issue is that SQL queries were being constructed with user input which had not been properly filtered. Only deployments on PrestaShop 1.6 are affected. **Recommendations** For PrestaShop/paypal versions 3.12.0 through 3.16.3, upgrade to module version 3.16.4. As a temporary workaround, consider restricting user input to prevent SQL injection attacks until a patch is available.