CVE-2012-20001
Description
PrestaShop before 1.5.2 allows XSS via the "<object data='data:text/html" substring in the message field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/prestashopPackagist | < 1.5.2.0 | 1.5.2.0 |
Affected products
2- PrestaShop/PrestaShopdescription
Patches
Vulnerability mechanics
Root cause
"The `isCleanHtml()` function fails to neutralize `"
Attack vector
An attacker submits a message through the Contact Form containing an `
Affected code
The vulnerability exists in the `isCleanHtml()` function, which is used in many places in PrestaShop, particularly in the Contact Form [ref_id=1]. The function fails to properly sanitize `
What the fix does
The advisory states the issue was resolved in PrestaShop version 1.5.2 [ref_id=1]. The recommended remediation is to either strip all HTML from the message field (since HTML has no legitimate purpose in a contact form) or to improve the `isCleanHtml()` sanitization function to properly filter out `
Preconditions
- inputThe attacker must have access to the PrestaShop Contact Form (or another form using isCleanHtml())
- configThe admin must view the submitted message in the admin area (or the victim must view the message in a webmail client)
Reproduction
1. Navigate to the PrestaShop Contact Form. 2. In the message field, enter: `
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-j33m-2537-86jmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-20001ghsaADVISORY
- seclists.org/bugtraq/2012/Nov/1ghsax_refsource_MISCWEB
- web.archive.org/web/20140803034142/http://forge.prestashop.com/browse/PSCFV-5204ghsaWEB
- web.archive.org/web/20160305224628/http://davidsopas.com/labs/prestashop_xss.txtghsaWEB
News mentions
0No linked articles in our index yet.