VYPR
← All advisories
Moderate severityNVD Advisory· Published May 24, 2019· Updated Aug 4, 2024

CVE-2019-11876

CVE-2019-11876

Description

PrestaShop 1.7.5.2 installer has a reflected XSS via the shop_country parameter, requiring user interaction with early setup steps.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

PrestaShop 1.7.5.2 installer has a reflected XSS via the shop_country parameter, requiring user interaction with early setup steps.

Vulnerability

Overview

CVE-2019-11876 is a reflected cross-site scripting (XSS) vulnerability affecting the installation script of PrestaShop version 1.7.5.2 [1]. The flaw resides in the install/index.php component, specifically within the shop_country parameter, which is not properly sanitized before being reflected back to the user's browser [1].

Attack

Vector

To exploit this vulnerability, an attacker must craft a malicious link containing a JavaScript payload in the shop_country parameter. The victim must first navigate through the initial setup wizard, including accepting the terms and conditions, before the reflected XSS is triggered [1]. This prerequisite reduces the likelihood of exploitation but does not eliminate the risk, especially in scenarios where users may be tricked into following such a link during a fresh installation process.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session within the installer environment. This could lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising the installation process and the subsequent e-commerce store [3].

Mitigation

The vendor addressed this vulnerability in PrestaShop version 1.7.6 (beta or later) [3]. Users running PrestaShop 1.7.5.2 should upgrade to a patched version immediately. No other workarounds are documented for this specific issue.

References
  1. NVD - CVE-2019-11876
  2. (XSS) Vulnerabilities found – Choose your test scope correctly

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
prestashop/prestashopPackagist
>= 1.7.5.2, < 1.7.6.01.7.6.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `shop_country` parameter in `install/index.php` is reflected in the web page output without proper neutralization, enabling cross-site scripting."

Attack vector

An attacker crafts a malicious URL containing a JavaScript payload in the `shop_country` parameter of `install/index.php`. The victim must first complete the initial installation steps (accepting terms and conditions) before the reflected payload executes in their browser [CWE-79] [ref_id=1]. No authentication is required because the installer is publicly accessible during setup.

Affected code

The vulnerability resides in the `install/index.php` script of PrestaShop 1.7.5.2. The `shop_country` parameter is not sanitized before being reflected in the installer's web page output, leading to a reflected XSS condition [ref_id=1].

What the fix does

The advisory does not include a published patch or specific fix details [ref_id=1]. To remediate, the `shop_country` parameter should be properly sanitized or encoded before being rendered in the installer page, preventing arbitrary script injection. The vendor's release notes forum is referenced but no explicit patch commit is provided.

Preconditions

  • configThe PrestaShop installation must not yet be completed (installer accessible)
  • inputThe victim must have accepted the terms and conditions on the first installer page
  • inputThe attacker must trick the victim into clicking a crafted URL

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.