Unrated severityNVD Advisory· Published Apr 20, 2020· Updated Aug 4, 2024

Reflected XSS in security compromised page of PrestaShop

CVE-2020-5264

Description

In PrestaShop before version 1.7.6.5, there is a reflected XSS while running the security compromised page. It allows anyone to execute arbitrary action. The problem is patched in the 1.7.6.5.

Affected products

Prestashop/Prestashopv5
Range: < 1.7.6.5

Patches

270ed6f80fad

Merge pull request #18659 from sowbiba/changelog-1765

https://github.com/prestashop/prestashopPablo BorowiczApr 17, 2020via osv

commit

1 file changed · +41 −0

docs/CHANGELOG.txt+41 −0 modified

@@ -24,6 +24,47 @@ International Registered Trademark & Property of PrestaShop SA
 Release Notes for PrestaShop 1.7
 --------------------------------
 
+####################################
+#   v1.7.6.5 - (2020-04-17)
+####################################
+- Back Office:
+  - Bug fix:
+    - #18637: Fix sidebar not displayed in BO Add employee page (by @Progi1984)
+    - #18607: Fix wrong number of "Last emails" in BO - Customer View page (by @PululuK)
+    - #17920: Wrong redirection when using the quick search for a category (by @PululuK)
+    - #18064: Fix error when trying to translate Serbian using the BO interface (by @eternoendless)
+- Front Office:
+  - Bug fix:
+    - #18633: Convert cart rule value when order currency is different (by @sowbiba)
+    - #18493: Change product redirection rules to redirect to valid attribute url (by @jolelievre)
+    - #18103: Duplicate address when submitting a form with errors (by @PierreRambaud)
+- Core:
+  - Improvement:
+    - #18638: Update version to 1.7.6.5 (by @PierreRambaud)
+  - Bug fix:
+    - #GHSA-cvjj-grfv-f56w - Improper access control on product page with combinations, attachments and specific prices (by @PierreRambaud)
+    - #GHSA-4wxg-33h3-3w5r - Improper access control on product attributes page (by @PierreRambaud)
+    - #GHSA-r6rp-6gv6-r9hq - Improper access control on customers search (by @PierreRambaud)
+    - #GHSA-74vp-ww64-w2gm - Improper Access Control (by @PierreRambaud)
+    - #GHSA-98j8-hvjv-x47j - Reflected XSS related in import page (by @PierreRambaud)
+    - #GHSA-j3r6-33hf-m8wh - Reflected XSS with back parameter (by @PierreRambaud)
+    - #GHSA-mrpj-67mq-3fr5 - Reflected XSS on Exception page (by @PierreRambaud)
+    - #GHSA-q6pr-42v5-v97q - Reflected XSS on AdminCarts page (by @PierreRambaud)
+    - #GHSA-rpg3-f23r-jmqv - Reflected XSS on Search page (by @PierreRambaud)
+    - #GHSA-m2x6-c2c6-pjrx - Reflected XSS with dashboard calendar (by @PierreRambaud)
+    - #GHSA-375w-q56h-h7qc - Open redirection when using back parameter (by @PierreRambaud)
+    - #GHSA-87jh-7xpg-6v93 - Reflected XSS on AdminFeatures page (by @PierreRambaud)
+    - #GHSA-7fmr-5vcc-329j - Reflected XSS on AdminAttributesGroups page (by @PierreRambaud)
+    - #GHSA-48vj-vvr6-jj4f - Reflected XSS in security compromised page (by @PierreRambaud)
+
+- Installer:
+  - Bug fix:
+    - #18491: Installation under CLI doesn't take BASE_URI and Apache rewrite in consideration (by @PierreRambaud)
+    - #18451: Use scandir instead of readdir to get sorted entities (by @PierreRambaud)
+- Tests:
+  - Bug fix:
+    - #18309: Change test fixtures that need to be in the future (by @jolelievre)
+
 ####################################
 #   v1.7.6.4 - (2020-03-02)
 ####################################

06b7765c91c5

Merge pull request from GHSA-48vj-vvr6-jj4f

https://github.com/prestashop/prestashopGoTApr 15, 2020via osv

commit

1 file changed · +12 −3

src/PrestaShopBundle/Controller/Admin/SecurityController.php+12 −3 modified

@@ -28,6 +28,7 @@
 
 use PrestaShopBundle\Service\Routing\Router as PrestaShopRouter;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Validator\Constraints as Assert;
 
 /**
  * Admin controller to manage security pages.
@@ -37,6 +38,11 @@ class SecurityController extends FrameworkBundleAdminController
     public function compromisedAccessAction(Request $request)
     {
         $requestUri = urldecode($request->query->get('uri'));
+        $url = new Assert\Url();
+        $violations = $this->get('validator')->validate($requestUri, [$url]);
+        if ($violations->count()) {
+            return $this->redirect('dashboard');
+        }
 
         // getToken() actually generate a new token
         $username = $this->get('prestashop.user_provider')->getUsername();
@@ -47,8 +53,11 @@ public function compromisedAccessAction(Request $request)
 
         $newUri = PrestaShopRouter::generateTokenizedUrl($requestUri, $newToken);
 
-        return $this->render('@PrestaShop/Admin/Security/compromised.html.twig', array(
-            'requestUri' => $newUri,
-        ));
+        return $this->render(
+            '@PrestaShop/Admin/Security/compromised.html.twig',
+            array(
+                'requestUri' => $newUri,
+            )
+        );
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/PrestaShop/PrestaShop/commit/06b7765c91c58e09ab4f8ddafbde02070fcb6f3amitrex_refsource_CONFIRM
github.com/PrestaShop/PrestaShop/security/advisories/GHSA-48vj-vvr6-jj4fmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000