CVE-2023-45957
Description
A stored cross-site scripting (XSS) vulnerability in the component admin/AdminRequestSqlController.php of thirty bees before 1.5.0 allows attackers to execute arbitrary web script or HTML via $e->getMessage() error mishandling.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- thirty bees/thirty beesdescription
- Range: <1.5.0
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization on exception message in admin error handling allows stored XSS."
Attack vector
An attacker can trigger a `PrestaShopException` whose message contains arbitrary web script or HTML. Because the exception message is stored unsanitized in `$this->errors[]` and later rendered in the admin panel, the injected script executes in the context of an administrator's browser session [ref_id=1]. This is a stored cross-site scripting (XSS) attack that requires no special network path beyond access to the vulnerable admin endpoint.
Affected code
The vulnerability is in `controllers/admin/AdminRequestSqlController.php` within the `renderView()` method. The catch block for `PrestaShopException` directly assigns `$e->getMessage()` to `$this->errors[]` without sanitization [ref_id=1].
What the fix does
The patch wraps `$e->getMessage()` with `Tools::safeOutput()` before assigning it to `$this->errors[]` [ref_id=1]. `Tools::safeOutput()` HTML-encodes the string, preventing any embedded script tags or HTML from being interpreted by the browser. This closes the stored XSS by ensuring exception messages are rendered as plain text rather than executable markup.
Preconditions
- inputAttacker must be able to trigger a PrestaShopException whose message contains malicious HTML/JavaScript
- authAn administrator must view the page that renders the stored error messages
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.