Headline
CVE-2020-21967: Cross Site Scripting Issue in PrestaShop Using File Upload Functionality · Issue #20306 · PrestaShop/PrestaShop
File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add new file page.
Hi,
This is something we already received on the Bug Bounty program.
Unfortunately, this is not a security issue, as we allow to upload any files we wanted, (it’s the same for SVG files), any users with admin employee can upload this kind of file, like he’s able to upload a module or a theme with comprised data.
Kind regards