CVE-2023-39527 HIGH

CVE-2023-39527: PrestaShop XSS vulnerability through Validate::isCleanHTML method

Vendor Prestashop

Product PrestaShop

Weakness CWE-79 · XSS

Published August 7, 2023

Last update October 3, 2024

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:H

What the vulnerability does

01Description

PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to cross-site scripting through the `isCleanHTML` method. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds.

Key dates

02Disclosure timeline

August 7, 2023 CVE published

October 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-39527

Related vulnerabilities

04Related CVE

CVE-2025-3670 KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter CVE-2025-23610 WordPress Ultimate Events plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-32494 WordPress Image Slider by Ays plugin <= 2.7.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-32877 Reflected Cross-site Scripting in yiisoft/yii2 Debug mode CVE-2025-6941 LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Identifiers

CVE CVE-2023-39527

CWE CWE-79

CVSS 8.3 / HIGH

Affected versions

Vendor Prestashop

Product PrestaShop

Affected < 1.7.8.10

Vendor Prestashop

Product PrestaShop

Affected >= 8.0.0, < 8.0.5

Vendor Prestashop

Product PrestaShop

Affected = 8.1.0