CVE-2023-30838

Name of the Vulnerable Software and Affected Versions PrestaShop versions prior to 8.0.4 and 1.7.8.9

Description The issue concerns the ValidateCore::isCleanHTML() method of PrestaShop, which misses hijackable events, leading to cross-site scripting (XSS) injection. This is allowed by the presence of pre-setup @keyframes methods. The XSS can hijack HTML attributes and can be triggered without any interaction by the visitor or administrator, making it as dangerous as a trivial XSS attack. Unlike other attacks that target HTML attributes and are triggered without user interaction, this one can hijack every HTML element, increasing the danger due to its complete HTML elements scope.

Recommendations For PrestaShop versions prior to 8.0.4, update to version 8.0.4 or later. For PrestaShop versions prior to 1.7.8.9, update to version 1.7.8.9 or later.