CVE-2021-21418

Опубликовано: 31 мар. 2021

Источник: nvd

CVSS3: 4.6

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

ps_emailsubscription is a newsletter subscription module for the PrestaShop platform. An employee can inject javascript in the newsletter condition field that will then be executed on the front office The issue has been fixed in 2.6.1

Ссылки

https://github.com/PrestaShop/ps_emailsubscription/commit/664ffb225e2afb4a32640bbedad667dc6e660b70
Patch
Third Party Advisory
https://github.com/PrestaShop/ps_emailsubscription/releases/tag/v2.6.1
Release Notes
Third Party Advisory
https://github.com/PrestaShop/ps_emailsubscription/security/advisories/GHSA-vwfx-hh3w-fj99
Third Party Advisory
https://packagist.org/packages/prestashop/ps_emailsubscription
Third Party Advisory
https://github.com/PrestaShop/ps_emailsubscription/commit/664ffb225e2afb4a32640bbedad667dc6e660b70
Patch
Third Party Advisory
https://github.com/PrestaShop/ps_emailsubscription/releases/tag/v2.6.1
Release Notes
Third Party Advisory
https://github.com/PrestaShop/ps_emailsubscription/security/advisories/GHSA-vwfx-hh3w-fj99
Third Party Advisory
https://packagist.org/packages/prestashop/ps_emailsubscription
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:prestashop:ps_emailsubscription:*:*:*:*:*:prestashop:*:*

Версия от 2.6.0 (включая) до 2.6.1 (исключая)

EPSS

Процентиль: 50%

0.00264

Низкий

4.6 Medium

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-vwfx-hh3w-fj99

CVSS3: 4.6

github

почти 5 лет назад

Potential XSS injection in the newsletter conditions field

EPSS

Процентиль: 50%

0.00264

Низкий

4.6 Medium

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79