Headline
CVE-2022-35933: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in prestashop/productcomments
This package is a PrestaShop module that allows users to post reviews and rate products. There is a vulnerability where the attacker could steal an administrator’s cookie. The issue is fixed in version 5.0.2.
Moderate
atomiix published GHSA-prrh-qvhf-x788
Aug 31, 2022
Package
composer prestashop/productcomments (Composer)
Affected versions
5.0.1
Patched versions
5.0.2
Description
Impact
An attacker could steal an admin’s cookie
Patches
The issue is fixed in 5.0.2
References
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Severity
Moderate
4.3
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CVE ID
CVE-2022-35933
Weaknesses
CWE-79
Credits
- tonius85
Related news
### Impact An attacker could steal an admin's cookie ### Patches The issue is fixed in 5.0.2 ### References [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](https://cwe.mitre.org/data/definitions/79.html)