High severityNVD Advisory· Published Sep 15, 2020· Updated Aug 4, 2024
Potential XSS in PrestaShop contactform
CVE-2020-15178
Description
In PrestaShop contactform module (prestashop/contactform) before version 4.3.0, an attacker is able to inject JavaScript while using the contact form. The message field was incorrectly unescaped, possibly allowing attackers to execute arbitrary JavaScript in a victim's browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prestashop/contactformPackagist | >= 1.0.1, < 4.3.0 | 4.3.0 |
Affected products
2- PrestaShop/contactformv5Range: < 4.3.0
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-95hx-62rh-gg96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15178ghsaADVISORY
- github.com/PrestaShop/contactform/commit/a1da814bea7e5750b858a2dbbc58ace80379f42fghsaWEB
- github.com/PrestaShop/contactform/commit/ecd9f5d14920ec00885766a7cb41bcc5ed8bfa09ghsax_refsource_MISCWEB
- github.com/PrestaShop/contactform/security/advisories/GHSA-95hx-62rh-gg96ghsax_refsource_CONFIRMWEB
- packagist.org/packages/prestashop/contactformghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.