VYPR
Get started
← All advisories
Unrated severityNVD Advisory· Published Apr 20, 2020· Updated Aug 4, 2024

Reflected XSS with dashboard calendar of PrestaShop

CVE-2020-5271

Description

In PrestaShop between versions 1.6.0.0 and 1.7.6.5, there is a reflected XSS with date_from and date_to parameters in the dashboard page This problem is fixed in 1.7.6.5

Affected products

1

Patches

2
270ed6f80fad

Merge pull request #18659 from sowbiba/changelog-1765

https://github.com/prestashop/prestashopPablo BorowiczApr 17, 2020via osv
commit
1 file changed · +41 0
  • docs/CHANGELOG.txt+41 0 modified
    @@ -24,6 +24,47 @@ International Registered Trademark & Property of PrestaShop SA
 Release Notes for PrestaShop 1.7
 --------------------------------
 
+####################################
+#   v1.7.6.5 - (2020-04-17)
+####################################
+- Back Office:
+  - Bug fix:
+    - #18637: Fix sidebar not displayed in BO Add employee page (by @Progi1984)
+    - #18607: Fix wrong number of "Last emails" in BO - Customer View page (by @PululuK)
+    - #17920: Wrong redirection when using the quick search for a category (by @PululuK)
+    - #18064: Fix error when trying to translate Serbian using the BO interface (by @eternoendless)
+- Front Office:
+  - Bug fix:
+    - #18633: Convert cart rule value when order currency is different (by @sowbiba)
+    - #18493: Change product redirection rules to redirect to valid attribute url (by @jolelievre)
+    - #18103: Duplicate address when submitting a form with errors (by @PierreRambaud)
+- Core:
+  - Improvement:
+    - #18638: Update version to 1.7.6.5 (by @PierreRambaud)
+  - Bug fix:
+    - #GHSA-cvjj-grfv-f56w - Improper access control on product page with combinations, attachments and specific prices (by @PierreRambaud)
+    - #GHSA-4wxg-33h3-3w5r - Improper access control on product attributes page (by @PierreRambaud)
+    - #GHSA-r6rp-6gv6-r9hq - Improper access control on customers search (by @PierreRambaud)
+    - #GHSA-74vp-ww64-w2gm - Improper Access Control (by @PierreRambaud)
+    - #GHSA-98j8-hvjv-x47j - Reflected XSS related in import page (by @PierreRambaud)
+    - #GHSA-j3r6-33hf-m8wh - Reflected XSS with back parameter (by @PierreRambaud)
+    - #GHSA-mrpj-67mq-3fr5 - Reflected XSS on Exception page (by @PierreRambaud)
+    - #GHSA-q6pr-42v5-v97q - Reflected XSS on AdminCarts page (by @PierreRambaud)
+    - #GHSA-rpg3-f23r-jmqv - Reflected XSS on Search page (by @PierreRambaud)
+    - #GHSA-m2x6-c2c6-pjrx - Reflected XSS with dashboard calendar (by @PierreRambaud)
+    - #GHSA-375w-q56h-h7qc - Open redirection when using back parameter (by @PierreRambaud)
+    - #GHSA-87jh-7xpg-6v93 - Reflected XSS on AdminFeatures page (by @PierreRambaud)
+    - #GHSA-7fmr-5vcc-329j - Reflected XSS on AdminAttributesGroups page (by @PierreRambaud)
+    - #GHSA-48vj-vvr6-jj4f - Reflected XSS in security compromised page (by @PierreRambaud)
+
+- Installer:
+  - Bug fix:
+    - #18491: Installation under CLI doesn't take BASE_URI and Apache rewrite in consideration (by @PierreRambaud)
+    - #18451: Use scandir instead of readdir to get sorted entities (by @PierreRambaud)
+- Tests:
+  - Bug fix:
+    - #18309: Change test fixtures that need to be in the future (by @jolelievre)
+
 ####################################
 #   v1.7.6.4 - (2020-03-02)
 ####################################
c464518d2aaf

Merge pull request from GHSA-m2x6-c2c6-pjrx

https://github.com/prestashop/prestashopGoTApr 15, 2020via osv
commit
1 file changed · +10 10
  • classes/helper/HelperCalendar.php+10 10 modified
    @@ -145,49 +145,49 @@ public function getDateFormat()
         return $this->_date_format;
     }
 
-    public function setDateFrom($value)
+    public function setDateFrom($value = '')
     {
-        if (!isset($value) || $value == '') {
-            $value = date('Y-m-d', strtotime('-31 days'));
+        if (empty($value)) {
+            $value = strtotime('-31 days');
         }
 
         if (!is_string($value)) {
             throw new PrestaShopException('Date must be a string');
         }
 
-        $this->_date_from = $value;
+        $this->_date_from = date('Y-m-d', strtotime($value));
 
         return $this;
     }
 
     public function getDateFrom()
     {
         if (!isset($this->_date_from)) {
-            $this->_date_from = date('Y-m-d', strtotime('-31 days'));
+            $this->setDateFrom();
         }
 
         return $this->_date_from;
     }
 
-    public function setDateTo($value)
+    public function setDateTo($value = '')
     {
-        if (!isset($value) || $value == '') {
-            $value = date('Y-m-d');
+        if (empty($value)) {
+            $value = strtotime('-31 days');
         }
 
         if (!is_string($value)) {
             throw new PrestaShopException('Date must be a string');
         }
 
-        $this->_date_to = $value;
+        $this->_date_to = date('Y-m-d', strtotime($value));
 
         return $this;
     }
 
     public function getDateTo()
     {
         if (!isset($this->_date_to)) {
-            $this->_date_to = date('Y-m-d');
+            $this->setDateTo();
         }
 
         return $this->_date_to;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.