{"id":"CVE-2024-21628","summary":"XSS can be stored in DB from \"add a message form\" in order detail page (FO)","details":"PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue.","aliases":["BIT-prestashop-2024-21628","GHSA-vr7m-r9vm-m4wf"],"modified":"2026-03-20T12:34:27.444057Z","published":"2024-01-02T21:17:14.733Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21628.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21628.json"},{"type":"ADVISORY","url":"https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-vr7m-r9vm-m4wf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21628"},{"type":"FIX","url":"https://github.com/PrestaShop/PrestaShop/commit/c3d78b7e49f5fe49a9d07725c3174d005deaa597"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/prestashop/prestashop","events":[{"introduced":"0"},{"fixed":"67fc1aedf438639f41207f5f728046f92865e532"}]}],"versions":["1.5.3.0","1.5.4.1","1.5.6.0","1.5.6.1","1.5.6.2","1.6.0.1","1.6.0.11","1.6.0.12","1.6.0.13","1.6.0.14","1.6.0.2","1.6.0.3","1.6.0.4","1.6.0.5","1.6.0.6","1.6.0.7","1.6.0.8","1.6.0.9","1.6.1.0","1.6.1.1","1.6.1.2-RC3","1.7.0.0","1.7.0.0-beta.1.0","1.7.0.0-beta.2.0","1.7.0.0-beta.3.0","1.7.0.0-beta.4.0","1.7.0.0-rc.0.0","1.7.0.1","1.7.0.2","1.7.0.3","1.7.0.4","1.7.0.5","1.7.0.6","1.7.1.0","1.7.1.1","1.7.1.2","1.7.2.0","1.7.2.0-rc.1.0","1.7.2.1","1.7.2.2","1.7.2.3","1.7.2.4","1.7.3.0","1.7.3.1","1.7.3.2","1.7.3.3","1.7.3.4","1.7.4.0","1.7.4.1","1.7.4.2","1.7.4.3","1.7.5.0","1.7.5.0-rc.1","1.7.5.1","1.7.6.0","1.7.6.0-beta.1","1.7.6.0-rc.1","1.7.6.0-rc.2","1.7.6.1","1.7.6.2","1.7.6.3","1.7.6.4","1.7.6.5","1.7.6.6","1.7.6.7","1.7.6.8","1.7.6.9","1.7.7.0","1.7.7.0-beta.1","1.7.7.0-beta.2","1.7.7.0-rc.1","1.7.7.1","1.7.7.2","1.7.7.3","1.7.7.4","1.7.7.5","1.7.7.6","1.7.7.7","1.7.7.8","1.7.8.0","1.7.8.0-beta.1","1.7.8.0-rc.1","1.7.8.1","1.7.8.2","1.7.8.3","1.7.8.4","1.7.8.5","1.7.8.6","1.7.8.7","1.7.8.8","8.0.0","8.0.0-beta.1","8.0.0-rc.1","8.0.1","8.0.2","8.0.3","8.0.4","8.0.5","8.1.0","8.1.0-beta.1","8.1.0-rc.1","8.1.1","8.1.2","show"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21628.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:L"}]}